1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "utils/bitfield.h" 15#include "common/ieee802_11_defs.h" 16#include "common/ocv.h" 17#include "crypto/aes.h" 18#include "crypto/aes_wrap.h" 19#include "crypto/aes_siv.h" 20#include "crypto/crypto.h" 21#include "crypto/sha1.h" 22#include "crypto/sha256.h" 23#include "crypto/sha384.h" 24#include "crypto/random.h" 25#include "eapol_auth/eapol_auth_sm.h" 26#include "drivers/driver.h" 27#include "ap_config.h" 28#include "ieee802_11.h" 29#include "wpa_auth.h" 30#include "pmksa_cache_auth.h" 31#include "wpa_auth_i.h" 32#include "wpa_auth_ie.h" 33 34#define STATE_MACHINE_DATA struct wpa_state_machine 35#define STATE_MACHINE_DEBUG_PREFIX "WPA" 36#define STATE_MACHINE_ADDR sm->addr 37 38 39static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 40static int wpa_sm_step(struct wpa_state_machine *sm); 41static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 42 u8 *data, size_t data_len); 43#ifdef CONFIG_FILS 44static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 45 u8 *buf, size_t buf_len, u16 *_key_data_len); 46static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 47 const struct wpabuf *hlp); 48#endif /* CONFIG_FILS */ 49static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 50static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 51 struct wpa_group *group); 52static void wpa_request_new_ptk(struct wpa_state_machine *sm); 53static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 54 struct wpa_group *group); 55static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 56 struct wpa_group *group); 57static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 58 const u8 *pmk, unsigned int pmk_len, 59 struct wpa_ptk *ptk); 60static void wpa_group_free(struct wpa_authenticator *wpa_auth, 61 struct wpa_group *group); 62static void wpa_group_get(struct wpa_authenticator *wpa_auth, 63 struct wpa_group *group); 64static void wpa_group_put(struct wpa_authenticator *wpa_auth, 65 struct wpa_group *group); 66static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 67 68static const u32 eapol_key_timeout_first = 100; /* ms */ 69static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 70static const u32 eapol_key_timeout_first_group = 500; /* ms */ 71static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */ 72 73/* TODO: make these configurable */ 74static const int dot11RSNAConfigPMKLifetime = 43200; 75static const int dot11RSNAConfigPMKReauthThreshold = 70; 76static const int dot11RSNAConfigSATimeout = 60; 77 78 79static inline int wpa_auth_mic_failure_report( 80 struct wpa_authenticator *wpa_auth, const u8 *addr) 81{ 82 if (wpa_auth->cb->mic_failure_report) 83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 84 return 0; 85} 86 87 88static inline void wpa_auth_psk_failure_report( 89 struct wpa_authenticator *wpa_auth, const u8 *addr) 90{ 91 if (wpa_auth->cb->psk_failure_report) 92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 93} 94 95 96static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 97 const u8 *addr, wpa_eapol_variable var, 98 int value) 99{ 100 if (wpa_auth->cb->set_eapol) 101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 102} 103 104 105static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 106 const u8 *addr, wpa_eapol_variable var) 107{ 108 if (wpa_auth->cb->get_eapol == NULL) 109 return -1; 110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 111} 112 113 114static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 115 const u8 *addr, 116 const u8 *p2p_dev_addr, 117 const u8 *prev_psk, size_t *psk_len, 118 int *vlan_id) 119{ 120 if (wpa_auth->cb->get_psk == NULL) 121 return NULL; 122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 123 prev_psk, psk_len, vlan_id); 124} 125 126 127static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 128 const u8 *addr, u8 *msk, size_t *len) 129{ 130 if (wpa_auth->cb->get_msk == NULL) 131 return -1; 132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 133} 134 135 136static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 137 int vlan_id, 138 enum wpa_alg alg, const u8 *addr, int idx, 139 u8 *key, size_t key_len) 140{ 141 if (wpa_auth->cb->set_key == NULL) 142 return -1; 143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 144 key, key_len); 145} 146 147 148static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 149 const u8 *addr, int idx, u8 *seq) 150{ 151 if (wpa_auth->cb->get_seqnum == NULL) 152 return -1; 153 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 154} 155 156 157static inline int 158wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 159 const u8 *data, size_t data_len, int encrypt) 160{ 161 if (wpa_auth->cb->send_eapol == NULL) 162 return -1; 163 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 164 encrypt); 165} 166 167 168#ifdef CONFIG_MESH 169static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 170 const u8 *addr) 171{ 172 if (wpa_auth->cb->start_ampe == NULL) 173 return -1; 174 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 175} 176#endif /* CONFIG_MESH */ 177 178 179int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 180 int (*cb)(struct wpa_state_machine *sm, void *ctx), 181 void *cb_ctx) 182{ 183 if (wpa_auth->cb->for_each_sta == NULL) 184 return 0; 185 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 186} 187 188 189int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 190 int (*cb)(struct wpa_authenticator *a, void *ctx), 191 void *cb_ctx) 192{ 193 if (wpa_auth->cb->for_each_auth == NULL) 194 return 0; 195 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 196} 197 198 199void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 200 logger_level level, const char *txt) 201{ 202 if (wpa_auth->cb->logger == NULL) 203 return; 204 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 205} 206 207 208void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 209 logger_level level, const char *fmt, ...) 210{ 211 char *format; 212 int maxlen; 213 va_list ap; 214 215 if (wpa_auth->cb->logger == NULL) 216 return; 217 218 maxlen = os_strlen(fmt) + 100; 219 format = os_malloc(maxlen); 220 if (!format) 221 return; 222 223 va_start(ap, fmt); 224 vsnprintf(format, maxlen, fmt, ap); 225 va_end(ap); 226 227 wpa_auth_logger(wpa_auth, addr, level, format); 228 229 os_free(format); 230} 231 232 233static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 234 const u8 *addr, u16 reason) 235{ 236 if (wpa_auth->cb->disconnect == NULL) 237 return; 238 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)", 239 MAC2STR(addr), reason); 240 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason); 241} 242 243 244#ifdef CONFIG_OCV 245static int wpa_channel_info(struct wpa_authenticator *wpa_auth, 246 struct wpa_channel_info *ci) 247{ 248 if (!wpa_auth->cb->channel_info) 249 return -1; 250 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci); 251} 252#endif /* CONFIG_OCV */ 253 254 255static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth, 256 const u8 *addr, int vlan_id) 257{ 258 if (!wpa_auth->cb->update_vlan) 259 return -1; 260 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id); 261} 262 263 264static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 265{ 266 struct wpa_authenticator *wpa_auth = eloop_ctx; 267 268 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 269 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 270 "initialization."); 271 } else { 272 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 273 wpa_hexdump_key(MSG_DEBUG, "GMK", 274 wpa_auth->group->GMK, WPA_GMK_LEN); 275 } 276 277 if (wpa_auth->conf.wpa_gmk_rekey) { 278 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 279 wpa_rekey_gmk, wpa_auth, NULL); 280 } 281} 282 283 284static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 285{ 286 struct wpa_authenticator *wpa_auth = eloop_ctx; 287 struct wpa_group *group, *next; 288 289 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 290 group = wpa_auth->group; 291 while (group) { 292 wpa_group_get(wpa_auth, group); 293 294 group->GTKReKey = TRUE; 295 do { 296 group->changed = FALSE; 297 wpa_group_sm_step(wpa_auth, group); 298 } while (group->changed); 299 300 next = group->next; 301 wpa_group_put(wpa_auth, group); 302 group = next; 303 } 304 305 if (wpa_auth->conf.wpa_group_rekey) { 306 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 307 0, wpa_rekey_gtk, wpa_auth, NULL); 308 } 309} 310 311 312static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 313{ 314 struct wpa_authenticator *wpa_auth = eloop_ctx; 315 struct wpa_state_machine *sm = timeout_ctx; 316 317 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 318 wpa_request_new_ptk(sm); 319 wpa_sm_step(sm); 320} 321 322 323void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm) 324{ 325 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) { 326 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for " 327 MACSTR " (%d seconds)", MAC2STR(sm->addr), 328 sm->wpa_auth->conf.wpa_ptk_rekey); 329 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 330 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0, 331 wpa_rekey_ptk, sm->wpa_auth, sm); 332 } 333} 334 335 336static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 337{ 338 if (sm->pmksa == ctx) 339 sm->pmksa = NULL; 340 return 0; 341} 342 343 344static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 345 void *ctx) 346{ 347 struct wpa_authenticator *wpa_auth = ctx; 348 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 349} 350 351 352static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 353 struct wpa_group *group) 354{ 355 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 356 u8 rkey[32]; 357 unsigned long ptr; 358 359 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 360 return -1; 361 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 362 363 /* 364 * Counter = PRF-256(Random number, "Init Counter", 365 * Local MAC Address || Time) 366 */ 367 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 368 wpa_get_ntp_timestamp(buf + ETH_ALEN); 369 ptr = (unsigned long) group; 370 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 371#ifdef TEST_FUZZ 372 os_memset(buf + ETH_ALEN, 0xab, 8); 373 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr)); 374#endif /* TEST_FUZZ */ 375 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 376 return -1; 377 378 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 379 group->Counter, WPA_NONCE_LEN) < 0) 380 return -1; 381 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 382 group->Counter, WPA_NONCE_LEN); 383 384 return 0; 385} 386 387 388static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 389 int vlan_id, int delay_init) 390{ 391 struct wpa_group *group; 392 393 group = os_zalloc(sizeof(struct wpa_group)); 394 if (group == NULL) 395 return NULL; 396 397 group->GTKAuthenticator = TRUE; 398 group->vlan_id = vlan_id; 399 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 400 401 if (random_pool_ready() != 1) { 402 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 403 "for secure operations - update keys later when " 404 "the first station connects"); 405 } 406 407 /* 408 * Set initial GMK/Counter value here. The actual values that will be 409 * used in negotiations will be set once the first station tries to 410 * connect. This allows more time for collecting additional randomness 411 * on embedded devices. 412 */ 413 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 414 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 415 "initialization."); 416 os_free(group); 417 return NULL; 418 } 419 420 group->GInit = TRUE; 421 if (delay_init) { 422 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 423 "until Beacon frames have been configured"); 424 /* Initialization is completed in wpa_init_keys(). */ 425 } else { 426 wpa_group_sm_step(wpa_auth, group); 427 group->GInit = FALSE; 428 wpa_group_sm_step(wpa_auth, group); 429 } 430 431 return group; 432} 433 434 435/** 436 * wpa_init - Initialize WPA authenticator 437 * @addr: Authenticator address 438 * @conf: Configuration for WPA authenticator 439 * @cb: Callback functions for WPA authenticator 440 * Returns: Pointer to WPA authenticator data or %NULL on failure 441 */ 442struct wpa_authenticator * wpa_init(const u8 *addr, 443 struct wpa_auth_config *conf, 444 const struct wpa_auth_callbacks *cb, 445 void *cb_ctx) 446{ 447 struct wpa_authenticator *wpa_auth; 448 449 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 450 if (wpa_auth == NULL) 451 return NULL; 452 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 453 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 454 wpa_auth->cb = cb; 455 wpa_auth->cb_ctx = cb_ctx; 456 457 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 458 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 459 os_free(wpa_auth); 460 return NULL; 461 } 462 463 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 464 if (wpa_auth->group == NULL) { 465 os_free(wpa_auth->wpa_ie); 466 os_free(wpa_auth); 467 return NULL; 468 } 469 470 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 471 wpa_auth); 472 if (wpa_auth->pmksa == NULL) { 473 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 474 os_free(wpa_auth->group); 475 os_free(wpa_auth->wpa_ie); 476 os_free(wpa_auth); 477 return NULL; 478 } 479 480#ifdef CONFIG_IEEE80211R_AP 481 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 482 if (wpa_auth->ft_pmk_cache == NULL) { 483 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 484 os_free(wpa_auth->group); 485 os_free(wpa_auth->wpa_ie); 486 pmksa_cache_auth_deinit(wpa_auth->pmksa); 487 os_free(wpa_auth); 488 return NULL; 489 } 490#endif /* CONFIG_IEEE80211R_AP */ 491 492 if (wpa_auth->conf.wpa_gmk_rekey) { 493 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 494 wpa_rekey_gmk, wpa_auth, NULL); 495 } 496 497 if (wpa_auth->conf.wpa_group_rekey) { 498 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 499 wpa_rekey_gtk, wpa_auth, NULL); 500 } 501 502#ifdef CONFIG_P2P 503 if (WPA_GET_BE32(conf->ip_addr_start)) { 504 int count = WPA_GET_BE32(conf->ip_addr_end) - 505 WPA_GET_BE32(conf->ip_addr_start) + 1; 506 if (count > 1000) 507 count = 1000; 508 if (count > 0) 509 wpa_auth->ip_pool = bitfield_alloc(count); 510 } 511#endif /* CONFIG_P2P */ 512 513 return wpa_auth; 514} 515 516 517int wpa_init_keys(struct wpa_authenticator *wpa_auth) 518{ 519 struct wpa_group *group = wpa_auth->group; 520 521 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 522 "keys"); 523 wpa_group_sm_step(wpa_auth, group); 524 group->GInit = FALSE; 525 wpa_group_sm_step(wpa_auth, group); 526 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 527 return -1; 528 return 0; 529} 530 531 532/** 533 * wpa_deinit - Deinitialize WPA authenticator 534 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 535 */ 536void wpa_deinit(struct wpa_authenticator *wpa_auth) 537{ 538 struct wpa_group *group, *prev; 539 540 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 541 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 542 543 pmksa_cache_auth_deinit(wpa_auth->pmksa); 544 545#ifdef CONFIG_IEEE80211R_AP 546 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 547 wpa_auth->ft_pmk_cache = NULL; 548 wpa_ft_deinit(wpa_auth); 549#endif /* CONFIG_IEEE80211R_AP */ 550 551#ifdef CONFIG_P2P 552 bitfield_free(wpa_auth->ip_pool); 553#endif /* CONFIG_P2P */ 554 555 556 os_free(wpa_auth->wpa_ie); 557 558 group = wpa_auth->group; 559 while (group) { 560 prev = group; 561 group = group->next; 562 os_free(prev); 563 } 564 565 os_free(wpa_auth); 566} 567 568 569/** 570 * wpa_reconfig - Update WPA authenticator configuration 571 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 572 * @conf: Configuration for WPA authenticator 573 */ 574int wpa_reconfig(struct wpa_authenticator *wpa_auth, 575 struct wpa_auth_config *conf) 576{ 577 struct wpa_group *group; 578 if (wpa_auth == NULL) 579 return 0; 580 581 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 582 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 583 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 584 return -1; 585 } 586 587 /* 588 * Reinitialize GTK to make sure it is suitable for the new 589 * configuration. 590 */ 591 group = wpa_auth->group; 592 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 593 group->GInit = TRUE; 594 wpa_group_sm_step(wpa_auth, group); 595 group->GInit = FALSE; 596 wpa_group_sm_step(wpa_auth, group); 597 598 return 0; 599} 600 601 602struct wpa_state_machine * 603wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 604 const u8 *p2p_dev_addr) 605{ 606 struct wpa_state_machine *sm; 607 608 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 609 return NULL; 610 611 sm = os_zalloc(sizeof(struct wpa_state_machine)); 612 if (sm == NULL) 613 return NULL; 614 os_memcpy(sm->addr, addr, ETH_ALEN); 615 if (p2p_dev_addr) 616 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 617 618 sm->wpa_auth = wpa_auth; 619 sm->group = wpa_auth->group; 620 wpa_group_get(sm->wpa_auth, sm->group); 621 622 return sm; 623} 624 625 626int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 627 struct wpa_state_machine *sm) 628{ 629 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 630 return -1; 631 632#ifdef CONFIG_IEEE80211R_AP 633 if (sm->ft_completed) { 634 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 635 "FT authentication already completed - do not " 636 "start 4-way handshake"); 637 /* Go to PTKINITDONE state to allow GTK rekeying */ 638 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 639 sm->Pair = TRUE; 640 return 0; 641 } 642#endif /* CONFIG_IEEE80211R_AP */ 643 644#ifdef CONFIG_FILS 645 if (sm->fils_completed) { 646 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 647 "FILS authentication already completed - do not start 4-way handshake"); 648 /* Go to PTKINITDONE state to allow GTK rekeying */ 649 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 650 sm->Pair = TRUE; 651 return 0; 652 } 653#endif /* CONFIG_FILS */ 654 655 if (sm->started) { 656 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 657 sm->ReAuthenticationRequest = TRUE; 658 return wpa_sm_step(sm); 659 } 660 661 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 662 "start authentication"); 663 sm->started = 1; 664 665 sm->Init = TRUE; 666 if (wpa_sm_step(sm) == 1) 667 return 1; /* should not really happen */ 668 sm->Init = FALSE; 669 sm->AuthenticationRequest = TRUE; 670 return wpa_sm_step(sm); 671} 672 673 674void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 675{ 676 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 677 * reassociates back to the same AP while the previous entry for the 678 * STA has not yet been removed. */ 679 if (sm == NULL) 680 return; 681 682 sm->wpa_key_mgmt = 0; 683} 684 685 686static void wpa_free_sta_sm(struct wpa_state_machine *sm) 687{ 688#ifdef CONFIG_P2P 689 if (WPA_GET_BE32(sm->ip_addr)) { 690 u32 start; 691 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 692 "address %u.%u.%u.%u from " MACSTR, 693 sm->ip_addr[0], sm->ip_addr[1], 694 sm->ip_addr[2], sm->ip_addr[3], 695 MAC2STR(sm->addr)); 696 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 697 bitfield_clear(sm->wpa_auth->ip_pool, 698 WPA_GET_BE32(sm->ip_addr) - start); 699 } 700#endif /* CONFIG_P2P */ 701 if (sm->GUpdateStationKeys) { 702 sm->group->GKeyDoneStations--; 703 sm->GUpdateStationKeys = FALSE; 704 } 705#ifdef CONFIG_IEEE80211R_AP 706 os_free(sm->assoc_resp_ftie); 707 wpabuf_free(sm->ft_pending_req_ies); 708#endif /* CONFIG_IEEE80211R_AP */ 709 os_free(sm->last_rx_eapol_key); 710 os_free(sm->wpa_ie); 711 wpa_group_put(sm->wpa_auth, sm->group); 712#ifdef CONFIG_DPP2 713 wpabuf_clear_free(sm->dpp_z); 714#endif /* CONFIG_DPP2 */ 715 bin_clear_free(sm, sizeof(*sm)); 716} 717 718 719void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 720{ 721 if (sm == NULL) 722 return; 723 724 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 725 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 726 "strict rekeying - force GTK rekey since STA " 727 "is leaving"); 728 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk, 729 sm->wpa_auth, NULL) == -1) 730 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 731 NULL); 732 } 733 734 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 735 sm->pending_1_of_4_timeout = 0; 736 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 737 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 738#ifdef CONFIG_IEEE80211R_AP 739 wpa_ft_sta_deinit(sm); 740#endif /* CONFIG_IEEE80211R_AP */ 741 if (sm->in_step_loop) { 742 /* Must not free state machine while wpa_sm_step() is running. 743 * Freeing will be completed in the end of wpa_sm_step(). */ 744 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 745 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 746 sm->pending_deinit = 1; 747 } else 748 wpa_free_sta_sm(sm); 749} 750 751 752static void wpa_request_new_ptk(struct wpa_state_machine *sm) 753{ 754 if (sm == NULL) 755 return; 756 757 sm->PTKRequest = TRUE; 758 sm->PTK_valid = 0; 759} 760 761 762static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 763 const u8 *replay_counter) 764{ 765 int i; 766 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 767 if (!ctr[i].valid) 768 break; 769 if (os_memcmp(replay_counter, ctr[i].counter, 770 WPA_REPLAY_COUNTER_LEN) == 0) 771 return 1; 772 } 773 return 0; 774} 775 776 777static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 778 const u8 *replay_counter) 779{ 780 int i; 781 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 782 if (ctr[i].valid && 783 (replay_counter == NULL || 784 os_memcmp(replay_counter, ctr[i].counter, 785 WPA_REPLAY_COUNTER_LEN) == 0)) 786 ctr[i].valid = FALSE; 787 } 788} 789 790 791#ifdef CONFIG_IEEE80211R_AP 792static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 793 struct wpa_state_machine *sm, 794 struct wpa_eapol_ie_parse *kde) 795{ 796 struct wpa_ie_data ie; 797 struct rsn_mdie *mdie; 798 799 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 800 ie.num_pmkid != 1 || ie.pmkid == NULL) { 801 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 802 "FT 4-way handshake message 2/4"); 803 return -1; 804 } 805 806 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 807 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 808 sm->sup_pmk_r1_name, PMKID_LEN); 809 810 if (!kde->mdie || !kde->ftie) { 811 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 812 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 813 return -1; 814 } 815 816 mdie = (struct rsn_mdie *) (kde->mdie + 2); 817 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 818 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 819 MOBILITY_DOMAIN_ID_LEN) != 0) { 820 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 821 return -1; 822 } 823 824 if (sm->assoc_resp_ftie && 825 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 826 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 827 2 + sm->assoc_resp_ftie[1]) != 0)) { 828 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 829 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 830 kde->ftie, kde->ftie_len); 831 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 832 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 833 return -1; 834 } 835 836 return 0; 837} 838#endif /* CONFIG_IEEE80211R_AP */ 839 840 841static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 842 struct wpa_state_machine *sm, int group) 843{ 844 /* Supplicant reported a Michael MIC error */ 845 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 846 "received EAPOL-Key Error Request " 847 "(STA detected Michael MIC failure (group=%d))", 848 group); 849 850 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 851 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 852 "ignore Michael MIC failure report since " 853 "group cipher is not TKIP"); 854 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 855 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 856 "ignore Michael MIC failure report since " 857 "pairwise cipher is not TKIP"); 858 } else { 859 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 860 return 1; /* STA entry was removed */ 861 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 862 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 863 } 864 865 /* 866 * Error report is not a request for a new key handshake, but since 867 * Authenticator may do it, let's change the keys now anyway. 868 */ 869 wpa_request_new_ptk(sm); 870 return 0; 871} 872 873 874static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 875 size_t data_len) 876{ 877 struct wpa_ptk PTK; 878 int ok = 0; 879 const u8 *pmk = NULL; 880 size_t pmk_len; 881 int vlan_id = 0; 882 883 os_memset(&PTK, 0, sizeof(PTK)); 884 for (;;) { 885 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 886 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 887 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 888 sm->p2p_dev_addr, pmk, &pmk_len, 889 &vlan_id); 890 if (pmk == NULL) 891 break; 892#ifdef CONFIG_IEEE80211R_AP 893 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 894 os_memcpy(sm->xxkey, pmk, pmk_len); 895 sm->xxkey_len = pmk_len; 896 } 897#endif /* CONFIG_IEEE80211R_AP */ 898 } else { 899 pmk = sm->PMK; 900 pmk_len = sm->pmk_len; 901 } 902 903 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0) 904 break; 905 906 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 907 data, data_len) == 0) { 908 if (sm->PMK != pmk) { 909 os_memcpy(sm->PMK, pmk, pmk_len); 910 sm->pmk_len = pmk_len; 911 } 912 ok = 1; 913 break; 914 } 915 916 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 917 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 918 break; 919 } 920 921 if (!ok) { 922 wpa_printf(MSG_DEBUG, 923 "WPA: Earlier SNonce did not result in matching MIC"); 924 return -1; 925 } 926 927 wpa_printf(MSG_DEBUG, 928 "WPA: Earlier SNonce resulted in matching MIC"); 929 sm->alt_snonce_valid = 0; 930 931 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 932 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0) 933 return -1; 934 935 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 936 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 937 forced_memzero(&PTK, sizeof(PTK)); 938 sm->PTK_valid = TRUE; 939 940 return 0; 941} 942 943 944void wpa_receive(struct wpa_authenticator *wpa_auth, 945 struct wpa_state_machine *sm, 946 u8 *data, size_t data_len) 947{ 948 struct ieee802_1x_hdr *hdr; 949 struct wpa_eapol_key *key; 950 u16 key_info, key_data_length; 951 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg; 952 char *msgtxt; 953 struct wpa_eapol_ie_parse kde; 954 const u8 *key_data; 955 size_t keyhdrlen, mic_len; 956 u8 *mic; 957 958 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 959 return; 960 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 961 962 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 963 keyhdrlen = sizeof(*key) + mic_len + 2; 964 965 if (data_len < sizeof(*hdr) + keyhdrlen) { 966 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 967 return; 968 } 969 970 hdr = (struct ieee802_1x_hdr *) data; 971 key = (struct wpa_eapol_key *) (hdr + 1); 972 mic = (u8 *) (key + 1); 973 key_info = WPA_GET_BE16(key->key_info); 974 key_data = mic + mic_len + 2; 975 key_data_length = WPA_GET_BE16(mic + mic_len); 976 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 977 " key_info=0x%x type=%u mic_len=%u key_data_length=%u", 978 MAC2STR(sm->addr), key_info, key->type, 979 (unsigned int) mic_len, key_data_length); 980 wpa_hexdump(MSG_MSGDUMP, 981 "WPA: EAPOL-Key header (ending before Key MIC)", 982 key, sizeof(*key)); 983 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 984 mic, mic_len); 985 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 986 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 987 "key_data overflow (%d > %lu)", 988 key_data_length, 989 (unsigned long) (data_len - sizeof(*hdr) - 990 keyhdrlen)); 991 return; 992 } 993 994 if (sm->wpa == WPA_VERSION_WPA2) { 995 if (key->type == EAPOL_KEY_TYPE_WPA) { 996 /* 997 * Some deployed station implementations seem to send 998 * msg 4/4 with incorrect type value in WPA2 mode. 999 */ 1000 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 1001 "with unexpected WPA type in RSN mode"); 1002 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 1003 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 1004 "unexpected type %d in RSN mode", 1005 key->type); 1006 return; 1007 } 1008 } else { 1009 if (key->type != EAPOL_KEY_TYPE_WPA) { 1010 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 1011 "unexpected type %d in WPA mode", 1012 key->type); 1013 return; 1014 } 1015 } 1016 1017 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 1018 WPA_NONCE_LEN); 1019 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 1020 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1021 1022 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 1023 * are set */ 1024 1025 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 1026 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message"); 1027 return; 1028 } 1029 1030 if (key_info & WPA_KEY_INFO_REQUEST) { 1031 msg = REQUEST; 1032 msgtxt = "Request"; 1033 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1034 msg = GROUP_2; 1035 msgtxt = "2/2 Group"; 1036 } else if (key_data_length == 0 || 1037 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1038 key_data_length == AES_BLOCK_SIZE)) { 1039 msg = PAIRWISE_4; 1040 msgtxt = "4/4 Pairwise"; 1041 } else { 1042 msg = PAIRWISE_2; 1043 msgtxt = "2/4 Pairwise"; 1044 } 1045 1046 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 1047 msg == GROUP_2) { 1048 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1049 if (sm->pairwise == WPA_CIPHER_CCMP || 1050 sm->pairwise == WPA_CIPHER_GCMP) { 1051 if (wpa_use_cmac(sm->wpa_key_mgmt) && 1052 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1053 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1054 wpa_auth_logger(wpa_auth, sm->addr, 1055 LOGGER_WARNING, 1056 "advertised support for " 1057 "AES-128-CMAC, but did not " 1058 "use it"); 1059 return; 1060 } 1061 1062 if (!wpa_use_cmac(sm->wpa_key_mgmt) && 1063 !wpa_use_akm_defined(sm->wpa_key_mgmt) && 1064 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1065 wpa_auth_logger(wpa_auth, sm->addr, 1066 LOGGER_WARNING, 1067 "did not use HMAC-SHA1-AES " 1068 "with CCMP/GCMP"); 1069 return; 1070 } 1071 } 1072 1073 if (wpa_use_akm_defined(sm->wpa_key_mgmt) && 1074 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1075 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1076 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1077 return; 1078 } 1079 } 1080 1081 if (key_info & WPA_KEY_INFO_REQUEST) { 1082 if (sm->req_replay_counter_used && 1083 os_memcmp(key->replay_counter, sm->req_replay_counter, 1084 WPA_REPLAY_COUNTER_LEN) <= 0) { 1085 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1086 "received EAPOL-Key request with " 1087 "replayed counter"); 1088 return; 1089 } 1090 } 1091 1092 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1093 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1094 int i; 1095 1096 if (msg == PAIRWISE_2 && 1097 wpa_replay_counter_valid(sm->prev_key_replay, 1098 key->replay_counter) && 1099 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1100 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1101 { 1102 /* 1103 * Some supplicant implementations (e.g., Windows XP 1104 * WZC) update SNonce for each EAPOL-Key 2/4. This 1105 * breaks the workaround on accepting any of the 1106 * pending requests, so allow the SNonce to be updated 1107 * even if we have already sent out EAPOL-Key 3/4. 1108 */ 1109 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1110 "Process SNonce update from STA " 1111 "based on retransmitted EAPOL-Key " 1112 "1/4"); 1113 sm->update_snonce = 1; 1114 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1115 sm->alt_snonce_valid = TRUE; 1116 os_memcpy(sm->alt_replay_counter, 1117 sm->key_replay[0].counter, 1118 WPA_REPLAY_COUNTER_LEN); 1119 goto continue_processing; 1120 } 1121 1122 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1123 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1124 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1125 WPA_REPLAY_COUNTER_LEN) == 0) { 1126 /* 1127 * Supplicant may still be using the old SNonce since 1128 * there was two EAPOL-Key 2/4 messages and they had 1129 * different SNonce values. 1130 */ 1131 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1132 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1133 goto continue_processing; 1134 } 1135 1136 if (msg == PAIRWISE_2 && 1137 wpa_replay_counter_valid(sm->prev_key_replay, 1138 key->replay_counter) && 1139 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1140 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1141 "ignore retransmitted EAPOL-Key %s - " 1142 "SNonce did not change", msgtxt); 1143 } else { 1144 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1145 "received EAPOL-Key %s with " 1146 "unexpected replay counter", msgtxt); 1147 } 1148 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1149 if (!sm->key_replay[i].valid) 1150 break; 1151 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1152 sm->key_replay[i].counter, 1153 WPA_REPLAY_COUNTER_LEN); 1154 } 1155 wpa_hexdump(MSG_DEBUG, "received replay counter", 1156 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1157 return; 1158 } 1159 1160continue_processing: 1161#ifdef CONFIG_FILS 1162 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1163 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1164 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1165 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1166 return; 1167 } 1168#endif /* CONFIG_FILS */ 1169 1170 switch (msg) { 1171 case PAIRWISE_2: 1172 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1173 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1174 (!sm->update_snonce || 1175 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1176 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1177 "received EAPOL-Key msg 2/4 in " 1178 "invalid state (%d) - dropped", 1179 sm->wpa_ptk_state); 1180 return; 1181 } 1182 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1183 if (sm->group->reject_4way_hs_for_entropy) { 1184 /* 1185 * The system did not have enough entropy to generate 1186 * strong random numbers. Reject the first 4-way 1187 * handshake(s) and collect some entropy based on the 1188 * information from it. Once enough entropy is 1189 * available, the next atempt will trigger GMK/Key 1190 * Counter update and the station will be allowed to 1191 * continue. 1192 */ 1193 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1194 "collect more entropy for random number " 1195 "generation"); 1196 random_mark_pool_ready(); 1197 wpa_sta_disconnect(wpa_auth, sm->addr, 1198 WLAN_REASON_PREV_AUTH_NOT_VALID); 1199 return; 1200 } 1201 break; 1202 case PAIRWISE_4: 1203 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1204 !sm->PTK_valid) { 1205 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1206 "received EAPOL-Key msg 4/4 in " 1207 "invalid state (%d) - dropped", 1208 sm->wpa_ptk_state); 1209 return; 1210 } 1211 break; 1212 case GROUP_2: 1213 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1214 || !sm->PTK_valid) { 1215 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1216 "received EAPOL-Key msg 2/2 in " 1217 "invalid state (%d) - dropped", 1218 sm->wpa_ptk_group_state); 1219 return; 1220 } 1221 break; 1222 case REQUEST: 1223 break; 1224 } 1225 1226 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1227 "received EAPOL-Key frame (%s)", msgtxt); 1228 1229 if (key_info & WPA_KEY_INFO_ACK) { 1230 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1231 "received invalid EAPOL-Key: Key Ack set"); 1232 return; 1233 } 1234 1235 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1236 !(key_info & WPA_KEY_INFO_MIC)) { 1237 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1238 "received invalid EAPOL-Key: Key MIC not set"); 1239 return; 1240 } 1241 1242#ifdef CONFIG_FILS 1243 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1244 (key_info & WPA_KEY_INFO_MIC)) { 1245 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1246 "received invalid EAPOL-Key: Key MIC set"); 1247 return; 1248 } 1249#endif /* CONFIG_FILS */ 1250 1251 sm->MICVerified = FALSE; 1252 if (sm->PTK_valid && !sm->update_snonce) { 1253 if (mic_len && 1254 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK, 1255 data, data_len) && 1256 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1257 wpa_try_alt_snonce(sm, data, data_len))) { 1258 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1259 "received EAPOL-Key with invalid MIC"); 1260#ifdef TEST_FUZZ 1261 wpa_printf(MSG_INFO, 1262 "TEST: Ignore Key MIC failure for fuzz testing"); 1263 goto continue_fuzz; 1264#endif /* TEST_FUZZ */ 1265 return; 1266 } 1267#ifdef CONFIG_FILS 1268 if (!mic_len && 1269 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1270 &key_data_length) < 0) { 1271 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1272 "received EAPOL-Key with invalid MIC"); 1273#ifdef TEST_FUZZ 1274 wpa_printf(MSG_INFO, 1275 "TEST: Ignore Key MIC failure for fuzz testing"); 1276 goto continue_fuzz; 1277#endif /* TEST_FUZZ */ 1278 return; 1279 } 1280#endif /* CONFIG_FILS */ 1281#ifdef TEST_FUZZ 1282 continue_fuzz: 1283#endif /* TEST_FUZZ */ 1284 sm->MICVerified = TRUE; 1285 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1286 sm->pending_1_of_4_timeout = 0; 1287 } 1288 1289 if (key_info & WPA_KEY_INFO_REQUEST) { 1290 if (sm->MICVerified) { 1291 sm->req_replay_counter_used = 1; 1292 os_memcpy(sm->req_replay_counter, key->replay_counter, 1293 WPA_REPLAY_COUNTER_LEN); 1294 } else { 1295 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1296 "received EAPOL-Key request with " 1297 "invalid MIC"); 1298 return; 1299 } 1300 1301 /* 1302 * TODO: should decrypt key data field if encryption was used; 1303 * even though MAC address KDE is not normally encrypted, 1304 * supplicant is allowed to encrypt it. 1305 */ 1306 if (key_info & WPA_KEY_INFO_ERROR) { 1307 if (wpa_receive_error_report( 1308 wpa_auth, sm, 1309 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1310 return; /* STA entry was removed */ 1311 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1312 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1313 "received EAPOL-Key Request for new " 1314 "4-Way Handshake"); 1315 wpa_request_new_ptk(sm); 1316 } else if (key_data_length > 0 && 1317 wpa_parse_kde_ies(key_data, key_data_length, 1318 &kde) == 0 && 1319 kde.mac_addr) { 1320 } else { 1321 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1322 "received EAPOL-Key Request for GTK " 1323 "rekeying"); 1324 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1325 wpa_rekey_gtk(wpa_auth, NULL); 1326 } 1327 } else { 1328 /* Do not allow the same key replay counter to be reused. */ 1329 wpa_replay_counter_mark_invalid(sm->key_replay, 1330 key->replay_counter); 1331 1332 if (msg == PAIRWISE_2) { 1333 /* 1334 * Maintain a copy of the pending EAPOL-Key frames in 1335 * case the EAPOL-Key frame was retransmitted. This is 1336 * needed to allow EAPOL-Key msg 2/4 reply to another 1337 * pending msg 1/4 to update the SNonce to work around 1338 * unexpected supplicant behavior. 1339 */ 1340 os_memcpy(sm->prev_key_replay, sm->key_replay, 1341 sizeof(sm->key_replay)); 1342 } else { 1343 os_memset(sm->prev_key_replay, 0, 1344 sizeof(sm->prev_key_replay)); 1345 } 1346 1347 /* 1348 * Make sure old valid counters are not accepted anymore and 1349 * do not get copied again. 1350 */ 1351 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1352 } 1353 1354 os_free(sm->last_rx_eapol_key); 1355 sm->last_rx_eapol_key = os_memdup(data, data_len); 1356 if (sm->last_rx_eapol_key == NULL) 1357 return; 1358 sm->last_rx_eapol_key_len = data_len; 1359 1360 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1361 sm->EAPOLKeyReceived = TRUE; 1362 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1363 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1364 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1365 wpa_sm_step(sm); 1366} 1367 1368 1369static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1370 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1371{ 1372 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN]; 1373 u8 *pos; 1374 int ret = 0; 1375 1376 /* GTK = PRF-X(GMK, "Group key expansion", 1377 * AA || GNonce || Time || random data) 1378 * The example described in the IEEE 802.11 standard uses only AA and 1379 * GNonce as inputs here. Add some more entropy since this derivation 1380 * is done only at the Authenticator and as such, does not need to be 1381 * exactly same. 1382 */ 1383 os_memset(data, 0, sizeof(data)); 1384 os_memcpy(data, addr, ETH_ALEN); 1385 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1386 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1387 wpa_get_ntp_timestamp(pos); 1388#ifdef TEST_FUZZ 1389 os_memset(pos, 0xef, 8); 1390#endif /* TEST_FUZZ */ 1391 pos += 8; 1392 if (random_get_bytes(pos, gtk_len) < 0) 1393 ret = -1; 1394 1395#ifdef CONFIG_SHA384 1396 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1397 gtk, gtk_len) < 0) 1398 ret = -1; 1399#else /* CONFIG_SHA384 */ 1400#ifdef CONFIG_SHA256 1401 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1402 gtk, gtk_len) < 0) 1403 ret = -1; 1404#else /* CONFIG_SHA256 */ 1405 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), 1406 gtk, gtk_len) < 0) 1407 ret = -1; 1408#endif /* CONFIG_SHA256 */ 1409#endif /* CONFIG_SHA384 */ 1410 1411 forced_memzero(data, sizeof(data)); 1412 1413 return ret; 1414} 1415 1416 1417static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1418{ 1419 struct wpa_authenticator *wpa_auth = eloop_ctx; 1420 struct wpa_state_machine *sm = timeout_ctx; 1421 1422 sm->pending_1_of_4_timeout = 0; 1423 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1424 sm->TimeoutEvt = TRUE; 1425 wpa_sm_step(sm); 1426} 1427 1428 1429void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1430 struct wpa_state_machine *sm, int key_info, 1431 const u8 *key_rsc, const u8 *nonce, 1432 const u8 *kde, size_t kde_len, 1433 int keyidx, int encr, int force_version) 1434{ 1435 struct ieee802_1x_hdr *hdr; 1436 struct wpa_eapol_key *key; 1437 size_t len, mic_len, keyhdrlen; 1438 int alg; 1439 int key_data_len, pad_len = 0; 1440 u8 *buf, *pos; 1441 int version, pairwise; 1442 int i; 1443 u8 *key_mic, *key_data; 1444 1445 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 1446 keyhdrlen = sizeof(*key) + mic_len + 2; 1447 1448 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1449 1450 if (force_version) 1451 version = force_version; 1452 else if (wpa_use_akm_defined(sm->wpa_key_mgmt)) 1453 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1454 else if (wpa_use_cmac(sm->wpa_key_mgmt)) 1455 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1456 else if (sm->pairwise != WPA_CIPHER_TKIP) 1457 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1458 else 1459 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1460 1461 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1462 1463 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1464 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1465 "encr=%d)", 1466 version, 1467 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1468 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1469 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1470 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1471 pairwise, (unsigned long) kde_len, keyidx, encr); 1472 1473 key_data_len = kde_len; 1474 1475 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1476 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1477 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1478 pad_len = key_data_len % 8; 1479 if (pad_len) 1480 pad_len = 8 - pad_len; 1481 key_data_len += pad_len + 8; 1482 } 1483 1484 len += key_data_len; 1485 if (!mic_len && encr) 1486 len += AES_BLOCK_SIZE; 1487 1488 hdr = os_zalloc(len); 1489 if (hdr == NULL) 1490 return; 1491 hdr->version = wpa_auth->conf.eapol_version; 1492 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1493 hdr->length = host_to_be16(len - sizeof(*hdr)); 1494 key = (struct wpa_eapol_key *) (hdr + 1); 1495 key_mic = (u8 *) (key + 1); 1496 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1497 1498 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1499 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1500 key_info |= version; 1501 if (encr && sm->wpa == WPA_VERSION_WPA2) 1502 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1503 if (sm->wpa != WPA_VERSION_WPA2) 1504 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1505 WPA_PUT_BE16(key->key_info, key_info); 1506 1507 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1508 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise) 1509 WPA_PUT_BE16(key->key_length, 0); 1510 else 1511 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1512 1513 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1514 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1515 os_memcpy(sm->key_replay[i].counter, 1516 sm->key_replay[i - 1].counter, 1517 WPA_REPLAY_COUNTER_LEN); 1518 } 1519 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1520 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1521 WPA_REPLAY_COUNTER_LEN); 1522 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1523 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1524 sm->key_replay[0].valid = TRUE; 1525 1526 if (nonce) 1527 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1528 1529 if (key_rsc) 1530 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1531 1532 if (kde && !encr) { 1533 os_memcpy(key_data, kde, kde_len); 1534 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1535#ifdef CONFIG_FILS 1536 } else if (!mic_len && kde) { 1537 const u8 *aad[1]; 1538 size_t aad_len[1]; 1539 1540 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1541 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1542 kde, kde_len); 1543 1544 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1545 sm->PTK.kek, sm->PTK.kek_len); 1546 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1547 * to Key Data (exclusive). */ 1548 aad[0] = (u8 *) hdr; 1549 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1550 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1551 1, aad, aad_len, key_mic + 2) < 0) { 1552 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1553 return; 1554 } 1555 1556 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1557 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1558#endif /* CONFIG_FILS */ 1559 } else if (encr && kde) { 1560 buf = os_zalloc(key_data_len); 1561 if (buf == NULL) { 1562 os_free(hdr); 1563 return; 1564 } 1565 pos = buf; 1566 os_memcpy(pos, kde, kde_len); 1567 pos += kde_len; 1568 1569 if (pad_len) 1570 *pos++ = 0xdd; 1571 1572 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1573 buf, key_data_len); 1574 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1575 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) || 1576 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1577 wpa_printf(MSG_DEBUG, 1578 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)", 1579 (unsigned int) sm->PTK.kek_len); 1580 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1581 (key_data_len - 8) / 8, buf, key_data)) { 1582 os_free(hdr); 1583 os_free(buf); 1584 return; 1585 } 1586 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1587#ifndef CONFIG_NO_RC4 1588 } else if (sm->PTK.kek_len == 16) { 1589 u8 ek[32]; 1590 1591 wpa_printf(MSG_DEBUG, 1592 "WPA: Encrypt Key Data using RC4"); 1593 os_memcpy(key->key_iv, 1594 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1595 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1596 os_memcpy(ek, key->key_iv, 16); 1597 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1598 os_memcpy(key_data, buf, key_data_len); 1599 rc4_skip(ek, 32, 256, key_data, key_data_len); 1600 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1601#endif /* CONFIG_NO_RC4 */ 1602 } else { 1603 os_free(hdr); 1604 os_free(buf); 1605 return; 1606 } 1607 os_free(buf); 1608 } 1609 1610 if (key_info & WPA_KEY_INFO_MIC) { 1611 if (!sm->PTK_valid || !mic_len) { 1612 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1613 "PTK not valid when sending EAPOL-Key " 1614 "frame"); 1615 os_free(hdr); 1616 return; 1617 } 1618 1619 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1620 sm->wpa_key_mgmt, version, 1621 (u8 *) hdr, len, key_mic) < 0) { 1622 os_free(hdr); 1623 return; 1624 } 1625#ifdef CONFIG_TESTING_OPTIONS 1626 if (!pairwise && 1627 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1628 drand48() < 1629 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1630 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1631 "Corrupting group EAPOL-Key Key MIC"); 1632 key_mic[0]++; 1633 } 1634#endif /* CONFIG_TESTING_OPTIONS */ 1635 } 1636 1637 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1638 1); 1639 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1640 sm->pairwise_set); 1641 os_free(hdr); 1642} 1643 1644 1645static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1646 struct wpa_state_machine *sm, int key_info, 1647 const u8 *key_rsc, const u8 *nonce, 1648 const u8 *kde, size_t kde_len, 1649 int keyidx, int encr) 1650{ 1651 int timeout_ms; 1652 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1653 u32 ctr; 1654 1655 if (sm == NULL) 1656 return; 1657 1658 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1659 keyidx, encr, 0); 1660 1661 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1662 if (ctr == 1 && wpa_auth->conf.tx_status) 1663 timeout_ms = pairwise ? eapol_key_timeout_first : 1664 eapol_key_timeout_first_group; 1665 else 1666 timeout_ms = eapol_key_timeout_subseq; 1667 if (wpa_auth->conf.wpa_disable_eapol_key_retries && 1668 (!pairwise || (key_info & WPA_KEY_INFO_MIC))) 1669 timeout_ms = eapol_key_timeout_no_retrans; 1670 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1671 sm->pending_1_of_4_timeout = 1; 1672#ifdef TEST_FUZZ 1673 timeout_ms = 1; 1674#endif /* TEST_FUZZ */ 1675 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1676 "counter %u)", timeout_ms, ctr); 1677 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1678 wpa_send_eapol_timeout, wpa_auth, sm); 1679} 1680 1681 1682static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 1683 u8 *data, size_t data_len) 1684{ 1685 struct ieee802_1x_hdr *hdr; 1686 struct wpa_eapol_key *key; 1687 u16 key_info; 1688 int ret = 0; 1689 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1690 size_t mic_len = wpa_mic_len(akmp, pmk_len); 1691 1692 if (data_len < sizeof(*hdr) + sizeof(*key)) 1693 return -1; 1694 1695 hdr = (struct ieee802_1x_hdr *) data; 1696 key = (struct wpa_eapol_key *) (hdr + 1); 1697 mic_pos = (u8 *) (key + 1); 1698 key_info = WPA_GET_BE16(key->key_info); 1699 os_memcpy(mic, mic_pos, mic_len); 1700 os_memset(mic_pos, 0, mic_len); 1701 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1702 key_info & WPA_KEY_INFO_TYPE_MASK, 1703 data, data_len, mic_pos) || 1704 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1705 ret = -1; 1706 os_memcpy(mic_pos, mic, mic_len); 1707 return ret; 1708} 1709 1710 1711void wpa_remove_ptk(struct wpa_state_machine *sm) 1712{ 1713 sm->PTK_valid = FALSE; 1714 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1715 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1716 0)) 1717 wpa_printf(MSG_DEBUG, 1718 "RSN: PTK removal from the driver failed"); 1719 sm->pairwise_set = FALSE; 1720 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1721} 1722 1723 1724int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1725{ 1726 int remove_ptk = 1; 1727 1728 if (sm == NULL) 1729 return -1; 1730 1731 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1732 "event %d notification", event); 1733 1734 switch (event) { 1735 case WPA_AUTH: 1736#ifdef CONFIG_MESH 1737 /* PTKs are derived through AMPE */ 1738 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1739 /* not mesh */ 1740 break; 1741 } 1742 return 0; 1743#endif /* CONFIG_MESH */ 1744 case WPA_ASSOC: 1745 break; 1746 case WPA_DEAUTH: 1747 case WPA_DISASSOC: 1748 sm->DeauthenticationRequest = TRUE; 1749#ifdef CONFIG_IEEE80211R_AP 1750 os_memset(sm->PMK, 0, sizeof(sm->PMK)); 1751 sm->pmk_len = 0; 1752 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 1753 sm->xxkey_len = 0; 1754 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 1755 sm->pmk_r1_len = 0; 1756#endif /* CONFIG_IEEE80211R_AP */ 1757 break; 1758 case WPA_REAUTH: 1759 case WPA_REAUTH_EAPOL: 1760 if (!sm->started) { 1761 /* 1762 * When using WPS, we may end up here if the STA 1763 * manages to re-associate without the previous STA 1764 * entry getting removed. Consequently, we need to make 1765 * sure that the WPA state machines gets initialized 1766 * properly at this point. 1767 */ 1768 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1769 "started - initialize now"); 1770 sm->started = 1; 1771 sm->Init = TRUE; 1772 if (wpa_sm_step(sm) == 1) 1773 return 1; /* should not really happen */ 1774 sm->Init = FALSE; 1775 sm->AuthenticationRequest = TRUE; 1776 break; 1777 } 1778 if (sm->GUpdateStationKeys) { 1779 /* 1780 * Reauthentication cancels the pending group key 1781 * update for this STA. 1782 */ 1783 sm->group->GKeyDoneStations--; 1784 sm->GUpdateStationKeys = FALSE; 1785 sm->PtkGroupInit = TRUE; 1786 } 1787 sm->ReAuthenticationRequest = TRUE; 1788 break; 1789 case WPA_ASSOC_FT: 1790#ifdef CONFIG_IEEE80211R_AP 1791 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1792 "after association"); 1793 wpa_ft_install_ptk(sm); 1794 1795 /* Using FT protocol, not WPA auth state machine */ 1796 sm->ft_completed = 1; 1797 wpa_auth_set_ptk_rekey_timer(sm); 1798 return 0; 1799#else /* CONFIG_IEEE80211R_AP */ 1800 break; 1801#endif /* CONFIG_IEEE80211R_AP */ 1802 case WPA_ASSOC_FILS: 1803#ifdef CONFIG_FILS 1804 wpa_printf(MSG_DEBUG, 1805 "FILS: TK configuration after association"); 1806 fils_set_tk(sm); 1807 sm->fils_completed = 1; 1808 return 0; 1809#else /* CONFIG_FILS */ 1810 break; 1811#endif /* CONFIG_FILS */ 1812 case WPA_DRV_STA_REMOVED: 1813 sm->tk_already_set = FALSE; 1814 return 0; 1815 } 1816 1817#ifdef CONFIG_IEEE80211R_AP 1818 sm->ft_completed = 0; 1819#endif /* CONFIG_IEEE80211R_AP */ 1820 1821#ifdef CONFIG_IEEE80211W 1822 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1823 remove_ptk = 0; 1824#endif /* CONFIG_IEEE80211W */ 1825#ifdef CONFIG_FILS 1826 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1827 (event == WPA_AUTH || event == WPA_ASSOC)) 1828 remove_ptk = 0; 1829#endif /* CONFIG_FILS */ 1830 1831 if (remove_ptk) { 1832 sm->PTK_valid = FALSE; 1833 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1834 1835 if (event != WPA_REAUTH_EAPOL) 1836 wpa_remove_ptk(sm); 1837 } 1838 1839 if (sm->in_step_loop) { 1840 /* 1841 * wpa_sm_step() is already running - avoid recursive call to 1842 * it by making the existing loop process the new update. 1843 */ 1844 sm->changed = TRUE; 1845 return 0; 1846 } 1847 return wpa_sm_step(sm); 1848} 1849 1850 1851SM_STATE(WPA_PTK, INITIALIZE) 1852{ 1853 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1854 if (sm->Init) { 1855 /* Init flag is not cleared here, so avoid busy 1856 * loop by claiming nothing changed. */ 1857 sm->changed = FALSE; 1858 } 1859 1860 sm->keycount = 0; 1861 if (sm->GUpdateStationKeys) 1862 sm->group->GKeyDoneStations--; 1863 sm->GUpdateStationKeys = FALSE; 1864 if (sm->wpa == WPA_VERSION_WPA) 1865 sm->PInitAKeys = FALSE; 1866 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1867 * Local AA > Remote AA)) */) { 1868 sm->Pair = TRUE; 1869 } 1870 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1871 wpa_remove_ptk(sm); 1872 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1873 sm->TimeoutCtr = 0; 1874 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 1875 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1876 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 1877 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1878 WPA_EAPOL_authorized, 0); 1879 } 1880} 1881 1882 1883SM_STATE(WPA_PTK, DISCONNECT) 1884{ 1885 u16 reason = sm->disconnect_reason; 1886 1887 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1888 sm->Disconnect = FALSE; 1889 sm->disconnect_reason = 0; 1890 if (!reason) 1891 reason = WLAN_REASON_PREV_AUTH_NOT_VALID; 1892 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason); 1893} 1894 1895 1896SM_STATE(WPA_PTK, DISCONNECTED) 1897{ 1898 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1899 sm->DeauthenticationRequest = FALSE; 1900} 1901 1902 1903SM_STATE(WPA_PTK, AUTHENTICATION) 1904{ 1905 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1906 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1907 sm->PTK_valid = FALSE; 1908 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1909 1); 1910 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1911 sm->AuthenticationRequest = FALSE; 1912} 1913 1914 1915static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1916 struct wpa_group *group) 1917{ 1918 if (group->first_sta_seen) 1919 return; 1920 /* 1921 * System has run bit further than at the time hostapd was started 1922 * potentially very early during boot up. This provides better chances 1923 * of collecting more randomness on embedded systems. Re-initialize the 1924 * GMK and Counter here to improve their strength if there was not 1925 * enough entropy available immediately after system startup. 1926 */ 1927 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1928 "station"); 1929 if (random_pool_ready() != 1) { 1930 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1931 "to proceed - reject first 4-way handshake"); 1932 group->reject_4way_hs_for_entropy = TRUE; 1933 } else { 1934 group->first_sta_seen = TRUE; 1935 group->reject_4way_hs_for_entropy = FALSE; 1936 } 1937 1938 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1939 wpa_gtk_update(wpa_auth, group) < 0 || 1940 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1941 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1942 group->first_sta_seen = FALSE; 1943 group->reject_4way_hs_for_entropy = TRUE; 1944 } 1945} 1946 1947 1948SM_STATE(WPA_PTK, AUTHENTICATION2) 1949{ 1950 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1951 1952 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1953 sm->ReAuthenticationRequest = FALSE; 1954 1955 /* 1956 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1957 * ambiguous. The Authenticator state machine uses a counter that is 1958 * incremented by one for each 4-way handshake. However, the security 1959 * analysis of 4-way handshake points out that unpredictable nonces 1960 * help in preventing precomputation attacks. Instead of the state 1961 * machine definition, use an unpredictable nonce value here to provide 1962 * stronger protection against potential precomputation attacks. 1963 */ 1964 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1965 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1966 "ANonce."); 1967 sm->Disconnect = TRUE; 1968 return; 1969 } 1970 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1971 WPA_NONCE_LEN); 1972 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1973 * logical place than INITIALIZE since AUTHENTICATION2 can be 1974 * re-entered on ReAuthenticationRequest without going through 1975 * INITIALIZE. */ 1976 sm->TimeoutCtr = 0; 1977} 1978 1979 1980static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1981{ 1982 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1983 wpa_printf(MSG_ERROR, 1984 "WPA: Failed to get random data for ANonce"); 1985 sm->Disconnect = TRUE; 1986 return -1; 1987 } 1988 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1989 WPA_NONCE_LEN); 1990 sm->TimeoutCtr = 0; 1991 return 0; 1992} 1993 1994 1995SM_STATE(WPA_PTK, INITPMK) 1996{ 1997 u8 msk[2 * PMK_LEN]; 1998 size_t len = 2 * PMK_LEN; 1999 2000 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 2001#ifdef CONFIG_IEEE80211R_AP 2002 sm->xxkey_len = 0; 2003#endif /* CONFIG_IEEE80211R_AP */ 2004 if (sm->pmksa) { 2005 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 2006 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2007 sm->pmk_len = sm->pmksa->pmk_len; 2008#ifdef CONFIG_DPP 2009 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) { 2010 wpa_printf(MSG_DEBUG, 2011 "DPP: No PMKSA cache entry for STA - reject connection"); 2012 sm->Disconnect = TRUE; 2013 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID; 2014 return; 2015#endif /* CONFIG_DPP */ 2016 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 2017 unsigned int pmk_len; 2018 2019 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 2020 pmk_len = PMK_LEN_SUITE_B_192; 2021 else 2022 pmk_len = PMK_LEN; 2023 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 2024 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 2025 pmk_len); 2026 if (len < pmk_len) { 2027 wpa_printf(MSG_DEBUG, 2028 "WPA: MSK not long enough (%u) to create PMK (%u)", 2029 (unsigned int) len, (unsigned int) pmk_len); 2030 sm->Disconnect = TRUE; 2031 return; 2032 } 2033 os_memcpy(sm->PMK, msk, pmk_len); 2034 sm->pmk_len = pmk_len; 2035#ifdef CONFIG_IEEE80211R_AP 2036 if (len >= 2 * PMK_LEN) { 2037 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 2038 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN); 2039 sm->xxkey_len = SHA384_MAC_LEN; 2040 } else { 2041 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 2042 sm->xxkey_len = PMK_LEN; 2043 } 2044 } 2045#endif /* CONFIG_IEEE80211R_AP */ 2046 } else { 2047 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 2048 sm->wpa_auth->cb->get_msk); 2049 sm->Disconnect = TRUE; 2050 return; 2051 } 2052 forced_memzero(msk, sizeof(msk)); 2053 2054 sm->req_replay_counter_used = 0; 2055 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 2056 * will break reauthentication since EAPOL state machines may not be 2057 * get into AUTHENTICATING state that clears keyRun before WPA state 2058 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 2059 * state and takes PMK from the previously used AAA Key. This will 2060 * eventually fail in 4-Way Handshake because Supplicant uses PMK 2061 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 2062 * be good workaround for this issue. */ 2063 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 2064} 2065 2066 2067SM_STATE(WPA_PTK, INITPSK) 2068{ 2069 const u8 *psk; 2070 size_t psk_len; 2071 2072 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 2073 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL, 2074 &psk_len, NULL); 2075 if (psk) { 2076 os_memcpy(sm->PMK, psk, psk_len); 2077 sm->pmk_len = psk_len; 2078#ifdef CONFIG_IEEE80211R_AP 2079 os_memcpy(sm->xxkey, psk, PMK_LEN); 2080 sm->xxkey_len = PMK_LEN; 2081#endif /* CONFIG_IEEE80211R_AP */ 2082 } 2083#ifdef CONFIG_SAE 2084 if (wpa_auth_uses_sae(sm) && sm->pmksa) { 2085 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache"); 2086 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2087 sm->pmk_len = sm->pmksa->pmk_len; 2088#ifdef CONFIG_IEEE80211R_AP 2089 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len); 2090 sm->xxkey_len = sm->pmksa->pmk_len; 2091#endif /* CONFIG_IEEE80211R_AP */ 2092 } 2093#endif /* CONFIG_SAE */ 2094 sm->req_replay_counter_used = 0; 2095} 2096 2097 2098SM_STATE(WPA_PTK, PTKSTART) 2099{ 2100 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 2101 size_t pmkid_len = 0; 2102 2103 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2104 sm->PTKRequest = FALSE; 2105 sm->TimeoutEvt = FALSE; 2106 sm->alt_snonce_valid = FALSE; 2107 2108 sm->TimeoutCtr++; 2109 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2110 /* No point in sending the EAPOL-Key - we will disconnect 2111 * immediately following this. */ 2112 return; 2113 } 2114 2115 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2116 "sending 1/4 msg of 4-Way Handshake"); 2117 /* 2118 * For infrastructure BSS cases, it is better for the AP not to include 2119 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate 2120 * offline search for the passphrase/PSK without having to be able to 2121 * capture a 4-way handshake from a STA that has access to the network. 2122 * 2123 * For IBSS cases, addition of PMKID KDE could be considered even with 2124 * WPA2-PSK cases that use multiple PSKs, but only if there is a single 2125 * possible PSK for this STA. However, this should not be done unless 2126 * there is support for using that information on the supplicant side. 2127 * The concern about exposing PMKID unnecessarily in infrastructure BSS 2128 * cases would also apply here, but at least in the IBSS case, this 2129 * would cover a potential real use case. 2130 */ 2131 if (sm->wpa == WPA_VERSION_WPA2 && 2132 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) || 2133 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) || 2134 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) && 2135 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2136 pmkid = buf; 2137 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2138 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2139 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2140 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2141 if (sm->pmksa) { 2142 wpa_hexdump(MSG_DEBUG, 2143 "RSN: Message 1/4 PMKID from PMKSA entry", 2144 sm->pmksa->pmkid, PMKID_LEN); 2145 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2146 sm->pmksa->pmkid, PMKID_LEN); 2147 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2148 /* No KCK available to derive PMKID */ 2149 wpa_printf(MSG_DEBUG, 2150 "RSN: No KCK available to derive PMKID for message 1/4"); 2151 pmkid = NULL; 2152#ifdef CONFIG_FILS 2153 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2154 if (sm->pmkid_set) { 2155 wpa_hexdump(MSG_DEBUG, 2156 "RSN: Message 1/4 PMKID from FILS/ERP", 2157 sm->pmkid, PMKID_LEN); 2158 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2159 sm->pmkid, PMKID_LEN); 2160 } else { 2161 /* No PMKID available */ 2162 wpa_printf(MSG_DEBUG, 2163 "RSN: No FILS/ERP PMKID available for message 1/4"); 2164 pmkid = NULL; 2165 } 2166#endif /* CONFIG_FILS */ 2167#ifdef CONFIG_IEEE80211R_AP 2168 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && 2169 sm->ft_completed) { 2170 wpa_printf(MSG_DEBUG, 2171 "FT: No PMKID in message 1/4 when using FT protocol"); 2172 pmkid = NULL; 2173 pmkid_len = 0; 2174#endif /* CONFIG_IEEE80211R_AP */ 2175#ifdef CONFIG_SAE 2176 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2177 if (sm->pmkid_set) { 2178 wpa_hexdump(MSG_DEBUG, 2179 "RSN: Message 1/4 PMKID from SAE", 2180 sm->pmkid, PMKID_LEN); 2181 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2182 sm->pmkid, PMKID_LEN); 2183 } else { 2184 /* No PMKID available */ 2185 wpa_printf(MSG_DEBUG, 2186 "RSN: No SAE PMKID available for message 1/4"); 2187 pmkid = NULL; 2188 } 2189#endif /* CONFIG_SAE */ 2190 } else { 2191 /* 2192 * Calculate PMKID since no PMKSA cache entry was 2193 * available with pre-calculated PMKID. 2194 */ 2195 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2196 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2197 sm->wpa_key_mgmt); 2198 wpa_hexdump(MSG_DEBUG, 2199 "RSN: Message 1/4 PMKID derived from PMK", 2200 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN); 2201 } 2202 } 2203 wpa_send_eapol(sm->wpa_auth, sm, 2204 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2205 sm->ANonce, pmkid, pmkid_len, 0, 0); 2206} 2207 2208 2209static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2210 const u8 *pmk, unsigned int pmk_len, 2211 struct wpa_ptk *ptk) 2212{ 2213 const u8 *z = NULL; 2214 size_t z_len = 0; 2215 2216#ifdef CONFIG_IEEE80211R_AP 2217 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2218 if (sm->ft_completed) { 2219 u8 ptk_name[WPA_PMK_NAME_LEN]; 2220 2221 return wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len, 2222 sm->SNonce, sm->ANonce, 2223 sm->addr, sm->wpa_auth->addr, 2224 sm->pmk_r1_name, 2225 ptk, ptk_name, 2226 sm->wpa_key_mgmt, 2227 sm->pairwise); 2228 } 2229 return wpa_auth_derive_ptk_ft(sm, ptk); 2230 } 2231#endif /* CONFIG_IEEE80211R_AP */ 2232 2233#ifdef CONFIG_DPP2 2234 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 2235 z = wpabuf_head(sm->dpp_z); 2236 z_len = wpabuf_len(sm->dpp_z); 2237 } 2238#endif /* CONFIG_DPP2 */ 2239 2240 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2241 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2242 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len); 2243} 2244 2245 2246#ifdef CONFIG_FILS 2247 2248int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2249 size_t pmk_len, const u8 *snonce, const u8 *anonce, 2250 const u8 *dhss, size_t dhss_len, 2251 struct wpabuf *g_sta, struct wpabuf *g_ap) 2252{ 2253 u8 ick[FILS_ICK_MAX_LEN]; 2254 size_t ick_len; 2255 int res; 2256 u8 fils_ft[FILS_FT_MAX_LEN]; 2257 size_t fils_ft_len = 0; 2258 2259 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2260 snonce, anonce, dhss, dhss_len, 2261 &sm->PTK, ick, &ick_len, 2262 sm->wpa_key_mgmt, sm->pairwise, 2263 fils_ft, &fils_ft_len); 2264 if (res < 0) 2265 return res; 2266 sm->PTK_valid = TRUE; 2267 sm->tk_already_set = FALSE; 2268 2269#ifdef CONFIG_IEEE80211R_AP 2270 if (fils_ft_len) { 2271 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2272 struct wpa_auth_config *conf = &wpa_auth->conf; 2273 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN]; 2274 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 2275 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 2276 2277 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len, 2278 conf->ssid, conf->ssid_len, 2279 conf->mobility_domain, 2280 conf->r0_key_holder, 2281 conf->r0_key_holder_len, 2282 sm->addr, pmk_r0, pmk_r0_name, 2283 use_sha384) < 0) 2284 return -1; 2285 2286 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", 2287 pmk_r0, pmk_r0_len); 2288 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", 2289 pmk_r0_name, WPA_PMK_NAME_LEN); 2290 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name); 2291 forced_memzero(fils_ft, sizeof(fils_ft)); 2292 2293 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder, 2294 sm->addr, sm->pmk_r1_name, 2295 use_sha384); 2296 forced_memzero(pmk_r0, PMK_LEN_MAX); 2297 if (res < 0) 2298 return -1; 2299 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name, 2300 WPA_PMK_NAME_LEN); 2301 sm->pmk_r1_name_valid = 1; 2302 } 2303#endif /* CONFIG_IEEE80211R_AP */ 2304 2305 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2306 sm->addr, sm->wpa_auth->addr, 2307 g_sta ? wpabuf_head(g_sta) : NULL, 2308 g_sta ? wpabuf_len(g_sta) : 0, 2309 g_ap ? wpabuf_head(g_ap) : NULL, 2310 g_ap ? wpabuf_len(g_ap) : 0, 2311 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2312 sm->fils_key_auth_ap, 2313 &sm->fils_key_auth_len); 2314 forced_memzero(ick, sizeof(ick)); 2315 2316 /* Store nonces for (Re)Association Request/Response frame processing */ 2317 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2318 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2319 2320 return res; 2321} 2322 2323 2324static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2325 u8 *buf, size_t buf_len, u16 *_key_data_len) 2326{ 2327 struct ieee802_1x_hdr *hdr; 2328 struct wpa_eapol_key *key; 2329 u8 *pos; 2330 u16 key_data_len; 2331 u8 *tmp; 2332 const u8 *aad[1]; 2333 size_t aad_len[1]; 2334 2335 hdr = (struct ieee802_1x_hdr *) buf; 2336 key = (struct wpa_eapol_key *) (hdr + 1); 2337 pos = (u8 *) (key + 1); 2338 key_data_len = WPA_GET_BE16(pos); 2339 if (key_data_len < AES_BLOCK_SIZE || 2340 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2341 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2342 "No room for AES-SIV data in the frame"); 2343 return -1; 2344 } 2345 pos += 2; /* Pointing at the Encrypted Key Data field */ 2346 2347 tmp = os_malloc(key_data_len); 2348 if (!tmp) 2349 return -1; 2350 2351 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2352 * to Key Data (exclusive). */ 2353 aad[0] = buf; 2354 aad_len[0] = pos - buf; 2355 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2356 1, aad, aad_len, tmp) < 0) { 2357 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2358 "Invalid AES-SIV data in the frame"); 2359 bin_clear_free(tmp, key_data_len); 2360 return -1; 2361 } 2362 2363 /* AEAD decryption and validation completed successfully */ 2364 key_data_len -= AES_BLOCK_SIZE; 2365 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2366 tmp, key_data_len); 2367 2368 /* Replace Key Data field with the decrypted version */ 2369 os_memcpy(pos, tmp, key_data_len); 2370 pos -= 2; /* Key Data Length field */ 2371 WPA_PUT_BE16(pos, key_data_len); 2372 bin_clear_free(tmp, key_data_len); 2373 if (_key_data_len) 2374 *_key_data_len = key_data_len; 2375 return 0; 2376} 2377 2378 2379const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm, 2380 const u8 *ies, size_t ies_len, 2381 const u8 *fils_session) 2382{ 2383 const u8 *ie, *end; 2384 const u8 *session = NULL; 2385 2386 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2387 wpa_printf(MSG_DEBUG, 2388 "FILS: Not a FILS AKM - reject association"); 2389 return NULL; 2390 } 2391 2392 /* Verify Session element */ 2393 ie = ies; 2394 end = ((const u8 *) ie) + ies_len; 2395 while (ie + 1 < end) { 2396 if (ie + 2 + ie[1] > end) 2397 break; 2398 if (ie[0] == WLAN_EID_EXTENSION && 2399 ie[1] >= 1 + FILS_SESSION_LEN && 2400 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2401 session = ie; 2402 break; 2403 } 2404 ie += 2 + ie[1]; 2405 } 2406 2407 if (!session) { 2408 wpa_printf(MSG_DEBUG, 2409 "FILS: %s: Could not find FILS Session element in Assoc Req - reject", 2410 __func__); 2411 return NULL; 2412 } 2413 2414 if (!fils_session) { 2415 wpa_printf(MSG_DEBUG, 2416 "FILS: %s: Could not find FILS Session element in STA entry - reject", 2417 __func__); 2418 return NULL; 2419 } 2420 2421 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2422 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2423 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2424 fils_session, FILS_SESSION_LEN); 2425 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2426 session + 3, FILS_SESSION_LEN); 2427 return NULL; 2428 } 2429 return session; 2430} 2431 2432 2433int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies, 2434 size_t ies_len) 2435{ 2436 struct ieee802_11_elems elems; 2437 2438 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2439 wpa_printf(MSG_DEBUG, 2440 "FILS: Failed to parse decrypted elements"); 2441 return -1; 2442 } 2443 2444 if (!elems.fils_session) { 2445 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 2446 return -1; 2447 } 2448 2449 if (!elems.fils_key_confirm) { 2450 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2451 return -1; 2452 } 2453 2454 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2455 wpa_printf(MSG_DEBUG, 2456 "FILS: Unexpected Key-Auth length %d (expected %d)", 2457 elems.fils_key_confirm_len, 2458 (int) sm->fils_key_auth_len); 2459 return -1; 2460 } 2461 2462 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2463 sm->fils_key_auth_len) != 0) { 2464 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2465 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2466 elems.fils_key_confirm, elems.fils_key_confirm_len); 2467 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2468 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2469 return -1; 2470 } 2471 2472 return 0; 2473} 2474 2475 2476int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2477 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2478 u8 *pos, size_t left) 2479{ 2480 u16 fc, stype; 2481 const u8 *end, *ie_start, *ie, *session, *crypt; 2482 const u8 *aad[5]; 2483 size_t aad_len[5]; 2484 2485 if (!sm || !sm->PTK_valid) { 2486 wpa_printf(MSG_DEBUG, 2487 "FILS: No KEK to decrypt Assocication Request frame"); 2488 return -1; 2489 } 2490 2491 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2492 wpa_printf(MSG_DEBUG, 2493 "FILS: Not a FILS AKM - reject association"); 2494 return -1; 2495 } 2496 2497 end = ((const u8 *) mgmt) + frame_len; 2498 fc = le_to_host16(mgmt->frame_control); 2499 stype = WLAN_FC_GET_STYPE(fc); 2500 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2501 ie_start = mgmt->u.reassoc_req.variable; 2502 else 2503 ie_start = mgmt->u.assoc_req.variable; 2504 ie = ie_start; 2505 2506 /* 2507 * Find FILS Session element which is the last unencrypted element in 2508 * the frame. 2509 */ 2510 session = wpa_fils_validate_fils_session(sm, ie, end - ie, 2511 fils_session); 2512 if (!session) { 2513 wpa_printf(MSG_DEBUG, "FILS: Session validation failed"); 2514 return -1; 2515 } 2516 2517 crypt = session + 2 + session[1]; 2518 2519 if (end - crypt < AES_BLOCK_SIZE) { 2520 wpa_printf(MSG_DEBUG, 2521 "FILS: Too short frame to include AES-SIV data"); 2522 return -1; 2523 } 2524 2525 /* AES-SIV AAD vectors */ 2526 2527 /* The STA's MAC address */ 2528 aad[0] = mgmt->sa; 2529 aad_len[0] = ETH_ALEN; 2530 /* The AP's BSSID */ 2531 aad[1] = mgmt->da; 2532 aad_len[1] = ETH_ALEN; 2533 /* The STA's nonce */ 2534 aad[2] = sm->SNonce; 2535 aad_len[2] = FILS_NONCE_LEN; 2536 /* The AP's nonce */ 2537 aad[3] = sm->ANonce; 2538 aad_len[3] = FILS_NONCE_LEN; 2539 /* 2540 * The (Re)Association Request frame from the Capability Information 2541 * field to the FILS Session element (both inclusive). 2542 */ 2543 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2544 aad_len[4] = crypt - aad[4]; 2545 2546 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2547 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2548 wpa_printf(MSG_DEBUG, 2549 "FILS: Invalid AES-SIV data in the frame"); 2550 return -1; 2551 } 2552 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2553 pos, left - AES_BLOCK_SIZE); 2554 2555 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) { 2556 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed"); 2557 return -1; 2558 } 2559 2560 return left - AES_BLOCK_SIZE; 2561} 2562 2563 2564int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2565 size_t current_len, size_t max_len, 2566 const struct wpabuf *hlp) 2567{ 2568 u8 *end = buf + max_len; 2569 u8 *pos = buf + current_len; 2570 struct ieee80211_mgmt *mgmt; 2571 struct wpabuf *plain; 2572 const u8 *aad[5]; 2573 size_t aad_len[5]; 2574 2575 if (!sm || !sm->PTK_valid) 2576 return -1; 2577 2578 wpa_hexdump(MSG_DEBUG, 2579 "FILS: Association Response frame before FILS processing", 2580 buf, current_len); 2581 2582 mgmt = (struct ieee80211_mgmt *) buf; 2583 2584 /* AES-SIV AAD vectors */ 2585 2586 /* The AP's BSSID */ 2587 aad[0] = mgmt->sa; 2588 aad_len[0] = ETH_ALEN; 2589 /* The STA's MAC address */ 2590 aad[1] = mgmt->da; 2591 aad_len[1] = ETH_ALEN; 2592 /* The AP's nonce */ 2593 aad[2] = sm->ANonce; 2594 aad_len[2] = FILS_NONCE_LEN; 2595 /* The STA's nonce */ 2596 aad[3] = sm->SNonce; 2597 aad_len[3] = FILS_NONCE_LEN; 2598 /* 2599 * The (Re)Association Response frame from the Capability Information 2600 * field (the same offset in both Association and Reassociation 2601 * Response frames) to the FILS Session element (both inclusive). 2602 */ 2603 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2604 aad_len[4] = pos - aad[4]; 2605 2606 /* The following elements will be encrypted with AES-SIV */ 2607 plain = fils_prepare_plainbuf(sm, hlp); 2608 if (!plain) { 2609 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2610 return -1; 2611 } 2612 2613 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2614 wpa_printf(MSG_DEBUG, 2615 "FILS: Not enough room for FILS elements"); 2616 wpabuf_clear_free(plain); 2617 return -1; 2618 } 2619 2620 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2621 plain); 2622 2623 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2624 wpabuf_head(plain), wpabuf_len(plain), 2625 5, aad, aad_len, pos) < 0) { 2626 wpabuf_clear_free(plain); 2627 return -1; 2628 } 2629 2630 wpa_hexdump(MSG_DEBUG, 2631 "FILS: Encrypted Association Response elements", 2632 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2633 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2634 wpabuf_clear_free(plain); 2635 2636 sm->fils_completed = 1; 2637 2638 return current_len; 2639} 2640 2641 2642static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 2643 const struct wpabuf *hlp) 2644{ 2645 struct wpabuf *plain; 2646 u8 *len, *tmp, *tmp2; 2647 u8 hdr[2]; 2648 u8 *gtk, dummy_gtk[32]; 2649 size_t gtk_len; 2650 struct wpa_group *gsm; 2651 2652 plain = wpabuf_alloc(1000); 2653 if (!plain) 2654 return NULL; 2655 2656 /* TODO: FILS Public Key */ 2657 2658 /* FILS Key Confirmation */ 2659 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2660 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2661 /* Element ID Extension */ 2662 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2663 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2664 2665 /* FILS HLP Container */ 2666 if (hlp) 2667 wpabuf_put_buf(plain, hlp); 2668 2669 /* TODO: FILS IP Address Assignment */ 2670 2671 /* Key Delivery */ 2672 gsm = sm->group; 2673 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2674 len = wpabuf_put(plain, 1); 2675 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2676 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2677 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2678 /* GTK KDE */ 2679 gtk = gsm->GTK[gsm->GN - 1]; 2680 gtk_len = gsm->GTK_len; 2681 if (sm->wpa_auth->conf.disable_gtk || 2682 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 2683 /* 2684 * Provide unique random GTK to each STA to prevent use 2685 * of GTK in the BSS. 2686 */ 2687 if (random_get_bytes(dummy_gtk, gtk_len) < 0) { 2688 wpabuf_clear_free(plain); 2689 return NULL; 2690 } 2691 gtk = dummy_gtk; 2692 } 2693 hdr[0] = gsm->GN & 0x03; 2694 hdr[1] = 0; 2695 tmp = wpabuf_put(plain, 0); 2696 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2697 gtk, gtk_len); 2698 wpabuf_put(plain, tmp2 - tmp); 2699 2700 /* IGTK KDE */ 2701 tmp = wpabuf_put(plain, 0); 2702 tmp2 = ieee80211w_kde_add(sm, tmp); 2703 wpabuf_put(plain, tmp2 - tmp); 2704 2705 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2706 2707#ifdef CONFIG_OCV 2708 if (wpa_auth_uses_ocv(sm)) { 2709 struct wpa_channel_info ci; 2710 u8 *pos; 2711 2712 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 2713 wpa_printf(MSG_WARNING, 2714 "FILS: Failed to get channel info for OCI element"); 2715 wpabuf_clear_free(plain); 2716 return NULL; 2717 } 2718 2719 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN); 2720 if (ocv_insert_extended_oci(&ci, pos) < 0) { 2721 wpabuf_clear_free(plain); 2722 return NULL; 2723 } 2724 } 2725#endif /* CONFIG_OCV */ 2726 2727 return plain; 2728} 2729 2730 2731int fils_set_tk(struct wpa_state_machine *sm) 2732{ 2733 enum wpa_alg alg; 2734 int klen; 2735 2736 if (!sm || !sm->PTK_valid) { 2737 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK"); 2738 return -1; 2739 } 2740 if (sm->tk_already_set) { 2741 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver"); 2742 return -1; 2743 } 2744 2745 alg = wpa_cipher_to_alg(sm->pairwise); 2746 klen = wpa_cipher_key_len(sm->pairwise); 2747 2748 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2749 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2750 sm->PTK.tk, klen)) { 2751 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2752 return -1; 2753 } 2754 sm->tk_already_set = TRUE; 2755 2756 return 0; 2757} 2758 2759 2760u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf, 2761 const u8 *fils_session, struct wpabuf *hlp) 2762{ 2763 struct wpabuf *plain; 2764 u8 *pos = buf; 2765 2766 /* FILS Session */ 2767 *pos++ = WLAN_EID_EXTENSION; /* Element ID */ 2768 *pos++ = 1 + FILS_SESSION_LEN; /* Length */ 2769 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2770 os_memcpy(pos, fils_session, FILS_SESSION_LEN); 2771 pos += FILS_SESSION_LEN; 2772 2773 plain = fils_prepare_plainbuf(sm, hlp); 2774 if (!plain) { 2775 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2776 return NULL; 2777 } 2778 2779 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain)); 2780 pos += wpabuf_len(plain); 2781 2782 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__, 2783 (unsigned int) wpabuf_len(plain)); 2784 wpabuf_clear_free(plain); 2785 sm->fils_completed = 1; 2786 return pos; 2787} 2788 2789#endif /* CONFIG_FILS */ 2790 2791 2792#ifdef CONFIG_OCV 2793int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth, 2794 int ap_seg1_idx, int *bandwidth, int *seg1_idx) 2795{ 2796 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2797 2798 if (!wpa_auth->cb->get_sta_tx_params) 2799 return -1; 2800 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr, 2801 ap_max_chanwidth, ap_seg1_idx, 2802 bandwidth, seg1_idx); 2803} 2804#endif /* CONFIG_OCV */ 2805 2806 2807SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2808{ 2809 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2810 struct wpa_ptk PTK; 2811 int ok = 0, psk_found = 0; 2812 const u8 *pmk = NULL; 2813 size_t pmk_len; 2814 int ft; 2815 const u8 *eapol_key_ie, *key_data, *mic; 2816 u16 key_data_length; 2817 size_t mic_len, eapol_key_ie_len; 2818 struct ieee802_1x_hdr *hdr; 2819 struct wpa_eapol_key *key; 2820 struct wpa_eapol_ie_parse kde; 2821 int vlan_id = 0; 2822 2823 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2824 sm->EAPOLKeyReceived = FALSE; 2825 sm->update_snonce = FALSE; 2826 os_memset(&PTK, 0, sizeof(PTK)); 2827 2828 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 2829 2830 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2831 * WPA-PSK: iterate through possible PSKs and select the one matching 2832 * the packet */ 2833 for (;;) { 2834 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 2835 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2836 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2837 sm->p2p_dev_addr, pmk, &pmk_len, 2838 &vlan_id); 2839 if (pmk == NULL) 2840 break; 2841 psk_found = 1; 2842#ifdef CONFIG_IEEE80211R_AP 2843 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { 2844 os_memcpy(sm->xxkey, pmk, pmk_len); 2845 sm->xxkey_len = pmk_len; 2846 } 2847#endif /* CONFIG_IEEE80211R_AP */ 2848 } else { 2849 pmk = sm->PMK; 2850 pmk_len = sm->pmk_len; 2851 } 2852 2853 if ((!pmk || !pmk_len) && sm->pmksa) { 2854 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache"); 2855 pmk = sm->pmksa->pmk; 2856 pmk_len = sm->pmksa->pmk_len; 2857 } 2858 2859 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0) 2860 break; 2861 2862 if (mic_len && 2863 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 2864 sm->last_rx_eapol_key, 2865 sm->last_rx_eapol_key_len) == 0) { 2866 if (sm->PMK != pmk) { 2867 os_memcpy(sm->PMK, pmk, pmk_len); 2868 sm->pmk_len = pmk_len; 2869 } 2870 ok = 1; 2871 break; 2872 } 2873 2874#ifdef CONFIG_FILS 2875 if (!mic_len && 2876 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2877 sm->last_rx_eapol_key_len, NULL) == 0) { 2878 ok = 1; 2879 break; 2880 } 2881#endif /* CONFIG_FILS */ 2882 2883 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 2884 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) 2885 break; 2886 } 2887 2888 if (!ok) { 2889 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2890 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2891 if (psk_found) 2892 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2893 return; 2894 } 2895 2896 /* 2897 * Note: last_rx_eapol_key length fields have already been validated in 2898 * wpa_receive(). 2899 */ 2900 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 2901 key = (struct wpa_eapol_key *) (hdr + 1); 2902 mic = (u8 *) (key + 1); 2903 key_data = mic + mic_len + 2; 2904 key_data_length = WPA_GET_BE16(mic + mic_len); 2905 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 2906 sizeof(*key) - mic_len - 2) 2907 return; 2908 2909 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 2910 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 2911 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 2912 return; 2913 } 2914 if (kde.rsn_ie) { 2915 eapol_key_ie = kde.rsn_ie; 2916 eapol_key_ie_len = kde.rsn_ie_len; 2917 } else if (kde.osen) { 2918 eapol_key_ie = kde.osen; 2919 eapol_key_ie_len = kde.osen_len; 2920 } else { 2921 eapol_key_ie = kde.wpa_ie; 2922 eapol_key_ie_len = kde.wpa_ie_len; 2923 } 2924 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 2925 if (sm->wpa_ie == NULL || 2926 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 2927 eapol_key_ie, eapol_key_ie_len)) { 2928 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2929 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 2930 if (sm->wpa_ie) { 2931 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 2932 sm->wpa_ie, sm->wpa_ie_len); 2933 } 2934 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 2935 eapol_key_ie, eapol_key_ie_len); 2936 /* MLME-DEAUTHENTICATE.request */ 2937 wpa_sta_disconnect(wpa_auth, sm->addr, 2938 WLAN_REASON_PREV_AUTH_NOT_VALID); 2939 return; 2940 } 2941#ifdef CONFIG_OCV 2942 if (wpa_auth_uses_ocv(sm)) { 2943 struct wpa_channel_info ci; 2944 int tx_chanwidth; 2945 int tx_seg1_idx; 2946 2947 if (wpa_channel_info(wpa_auth, &ci) != 0) { 2948 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2949 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4"); 2950 return; 2951 } 2952 2953 if (get_sta_tx_parameters(sm, 2954 channel_width_to_int(ci.chanwidth), 2955 ci.seg1_idx, &tx_chanwidth, 2956 &tx_seg1_idx) < 0) 2957 return; 2958 2959 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 2960 tx_chanwidth, tx_seg1_idx) != 0) { 2961 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2962 ocv_errorstr); 2963 return; 2964 } 2965 } 2966#endif /* CONFIG_OCV */ 2967#ifdef CONFIG_IEEE80211R_AP 2968 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 2969 wpa_sta_disconnect(wpa_auth, sm->addr, 2970 WLAN_REASON_PREV_AUTH_NOT_VALID); 2971 return; 2972 } 2973#endif /* CONFIG_IEEE80211R_AP */ 2974#ifdef CONFIG_P2P 2975 if (kde.ip_addr_req && kde.ip_addr_req[0] && 2976 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 2977 int idx; 2978 wpa_printf(MSG_DEBUG, 2979 "P2P: IP address requested in EAPOL-Key exchange"); 2980 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 2981 if (idx >= 0) { 2982 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 2983 bitfield_set(wpa_auth->ip_pool, idx); 2984 WPA_PUT_BE32(sm->ip_addr, start + idx); 2985 wpa_printf(MSG_DEBUG, 2986 "P2P: Assigned IP address %u.%u.%u.%u to " 2987 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 2988 sm->ip_addr[2], sm->ip_addr[3], 2989 MAC2STR(sm->addr)); 2990 } 2991 } 2992#endif /* CONFIG_P2P */ 2993 2994#ifdef CONFIG_IEEE80211R_AP 2995 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2996 /* 2997 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2998 * with the value we derived. 2999 */ 3000 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 3001 WPA_PMK_NAME_LEN) != 0) { 3002 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3003 "PMKR1Name mismatch in FT 4-way " 3004 "handshake"); 3005 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 3006 "Supplicant", 3007 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 3008 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 3009 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 3010 return; 3011 } 3012 } 3013#endif /* CONFIG_IEEE80211R_AP */ 3014 3015 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 3016 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) { 3017 wpa_sta_disconnect(wpa_auth, sm->addr, 3018 WLAN_REASON_PREV_AUTH_NOT_VALID); 3019 return; 3020 } 3021 3022 sm->pending_1_of_4_timeout = 0; 3023 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 3024 3025 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 3026 /* PSK may have changed from the previous choice, so update 3027 * state machine data based on whatever PSK was selected here. 3028 */ 3029 os_memcpy(sm->PMK, pmk, PMK_LEN); 3030 sm->pmk_len = PMK_LEN; 3031 } 3032 3033 sm->MICVerified = TRUE; 3034 3035 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 3036 forced_memzero(&PTK, sizeof(PTK)); 3037 sm->PTK_valid = TRUE; 3038} 3039 3040 3041SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 3042{ 3043 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 3044 sm->TimeoutCtr = 0; 3045} 3046 3047 3048#ifdef CONFIG_IEEE80211W 3049 3050static int ieee80211w_kde_len(struct wpa_state_machine *sm) 3051{ 3052 if (sm->mgmt_frame_prot) { 3053 size_t len; 3054 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3055 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 3056 } 3057 3058 return 0; 3059} 3060 3061 3062static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 3063{ 3064 struct wpa_igtk_kde igtk; 3065 struct wpa_group *gsm = sm->group; 3066 u8 rsc[WPA_KEY_RSC_LEN]; 3067 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3068 3069 if (!sm->mgmt_frame_prot) 3070 return pos; 3071 3072 igtk.keyid[0] = gsm->GN_igtk; 3073 igtk.keyid[1] = 0; 3074 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 3075 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 3076 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 3077 else 3078 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 3079 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 3080 if (sm->wpa_auth->conf.disable_gtk || 3081 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3082 /* 3083 * Provide unique random IGTK to each STA to prevent use of 3084 * IGTK in the BSS. 3085 */ 3086 if (random_get_bytes(igtk.igtk, len) < 0) 3087 return pos; 3088 } 3089 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 3090 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 3091 NULL, 0); 3092 3093 return pos; 3094} 3095 3096#else /* CONFIG_IEEE80211W */ 3097 3098static int ieee80211w_kde_len(struct wpa_state_machine *sm) 3099{ 3100 return 0; 3101} 3102 3103 3104static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 3105{ 3106 return pos; 3107} 3108 3109#endif /* CONFIG_IEEE80211W */ 3110 3111 3112static int ocv_oci_len(struct wpa_state_machine *sm) 3113{ 3114#ifdef CONFIG_OCV 3115 if (wpa_auth_uses_ocv(sm)) 3116 return OCV_OCI_KDE_LEN; 3117#endif /* CONFIG_OCV */ 3118 return 0; 3119} 3120 3121static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos) 3122{ 3123#ifdef CONFIG_OCV 3124 struct wpa_channel_info ci; 3125 3126 if (!wpa_auth_uses_ocv(sm)) 3127 return 0; 3128 3129 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { 3130 wpa_printf(MSG_WARNING, 3131 "Failed to get channel info for OCI element"); 3132 return -1; 3133 } 3134 3135 return ocv_insert_oci_kde(&ci, argpos); 3136#else /* CONFIG_OCV */ 3137 return 0; 3138#endif /* CONFIG_OCV */ 3139} 3140 3141 3142SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 3143{ 3144 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 3145 size_t gtk_len, kde_len; 3146 struct wpa_group *gsm = sm->group; 3147 u8 *wpa_ie; 3148 int wpa_ie_len, secure, keyidx, encr = 0; 3149 3150 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 3151 sm->TimeoutEvt = FALSE; 3152 3153 sm->TimeoutCtr++; 3154 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3155 sm->TimeoutCtr > 1) { 3156 /* Do not allow retransmission of EAPOL-Key msg 3/4 */ 3157 return; 3158 } 3159 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 3160 /* No point in sending the EAPOL-Key - we will disconnect 3161 * immediately following this. */ 3162 return; 3163 } 3164 3165 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 3166 GTK[GN], IGTK, [FTIE], [TIE * 2]) 3167 */ 3168 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3169 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3170 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 3171 wpa_ie = sm->wpa_auth->wpa_ie; 3172 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 3173 if (sm->wpa == WPA_VERSION_WPA && 3174 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 3175 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 3176 /* WPA-only STA, remove RSN IE and possible MDIE */ 3177 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3178 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 3179 wpa_ie = wpa_ie + wpa_ie[1] + 2; 3180 wpa_ie_len = wpa_ie[1] + 2; 3181 } 3182 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3183 "sending 3/4 msg of 4-Way Handshake"); 3184 if (sm->wpa == WPA_VERSION_WPA2) { 3185 /* WPA2 send GTK in the 4-way handshake */ 3186 secure = 1; 3187 gtk = gsm->GTK[gsm->GN - 1]; 3188 gtk_len = gsm->GTK_len; 3189 if (sm->wpa_auth->conf.disable_gtk || 3190 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3191 /* 3192 * Provide unique random GTK to each STA to prevent use 3193 * of GTK in the BSS. 3194 */ 3195 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 3196 return; 3197 gtk = dummy_gtk; 3198 } 3199 keyidx = gsm->GN; 3200 _rsc = rsc; 3201 encr = 1; 3202 } else { 3203 /* WPA does not include GTK in msg 3/4 */ 3204 secure = 0; 3205 gtk = NULL; 3206 gtk_len = 0; 3207 keyidx = 0; 3208 _rsc = NULL; 3209 if (sm->rx_eapol_key_secure) { 3210 /* 3211 * It looks like Windows 7 supplicant tries to use 3212 * Secure bit in msg 2/4 after having reported Michael 3213 * MIC failure and it then rejects the 4-way handshake 3214 * if msg 3/4 does not set Secure bit. Work around this 3215 * by setting the Secure bit here even in the case of 3216 * WPA if the supplicant used it first. 3217 */ 3218 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3219 "STA used Secure bit in WPA msg 2/4 - " 3220 "set Secure for 3/4 as workaround"); 3221 secure = 1; 3222 } 3223 } 3224 3225 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3226 if (gtk) 3227 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 3228#ifdef CONFIG_IEEE80211R_AP 3229 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3230 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 3231 kde_len += 300; /* FTIE + 2 * TIE */ 3232 } 3233#endif /* CONFIG_IEEE80211R_AP */ 3234#ifdef CONFIG_P2P 3235 if (WPA_GET_BE32(sm->ip_addr) > 0) 3236 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 3237#endif /* CONFIG_P2P */ 3238 kde = os_malloc(kde_len); 3239 if (kde == NULL) 3240 return; 3241 3242 pos = kde; 3243 os_memcpy(pos, wpa_ie, wpa_ie_len); 3244 pos += wpa_ie_len; 3245#ifdef CONFIG_IEEE80211R_AP 3246 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3247 int res; 3248 size_t elen; 3249 3250 elen = pos - kde; 3251 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 3252 if (res < 0) { 3253 wpa_printf(MSG_ERROR, "FT: Failed to insert " 3254 "PMKR1Name into RSN IE in EAPOL-Key data"); 3255 os_free(kde); 3256 return; 3257 } 3258 pos -= wpa_ie_len; 3259 pos += elen; 3260 } 3261#endif /* CONFIG_IEEE80211R_AP */ 3262 if (gtk) { 3263 u8 hdr[2]; 3264 hdr[0] = keyidx & 0x03; 3265 hdr[1] = 0; 3266 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3267 gtk, gtk_len); 3268 } 3269 pos = ieee80211w_kde_add(sm, pos); 3270 if (ocv_oci_add(sm, &pos) < 0) { 3271 os_free(kde); 3272 return; 3273 } 3274 3275#ifdef CONFIG_IEEE80211R_AP 3276 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 3277 int res; 3278 struct wpa_auth_config *conf; 3279 3280 conf = &sm->wpa_auth->conf; 3281 if (sm->assoc_resp_ftie && 3282 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 3283 os_memcpy(pos, sm->assoc_resp_ftie, 3284 2 + sm->assoc_resp_ftie[1]); 3285 res = 2 + sm->assoc_resp_ftie[1]; 3286 } else { 3287 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 3288 3289 res = wpa_write_ftie(conf, use_sha384, 3290 conf->r0_key_holder, 3291 conf->r0_key_holder_len, 3292 NULL, NULL, pos, 3293 kde + kde_len - pos, 3294 NULL, 0); 3295 } 3296 if (res < 0) { 3297 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 3298 "into EAPOL-Key Key Data"); 3299 os_free(kde); 3300 return; 3301 } 3302 pos += res; 3303 3304 /* TIE[ReassociationDeadline] (TU) */ 3305 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3306 *pos++ = 5; 3307 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 3308 WPA_PUT_LE32(pos, conf->reassociation_deadline); 3309 pos += 4; 3310 3311 /* TIE[KeyLifetime] (seconds) */ 3312 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3313 *pos++ = 5; 3314 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 3315 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 3316 pos += 4; 3317 } 3318#endif /* CONFIG_IEEE80211R_AP */ 3319#ifdef CONFIG_P2P 3320 if (WPA_GET_BE32(sm->ip_addr) > 0) { 3321 u8 addr[3 * 4]; 3322 os_memcpy(addr, sm->ip_addr, 4); 3323 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 3324 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 3325 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 3326 addr, sizeof(addr), NULL, 0); 3327 } 3328#endif /* CONFIG_P2P */ 3329 3330 wpa_send_eapol(sm->wpa_auth, sm, 3331 (secure ? WPA_KEY_INFO_SECURE : 0) | 3332 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3333 WPA_KEY_INFO_MIC : 0) | 3334 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 3335 WPA_KEY_INFO_KEY_TYPE, 3336 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 3337 os_free(kde); 3338} 3339 3340 3341SM_STATE(WPA_PTK, PTKINITDONE) 3342{ 3343 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 3344 sm->EAPOLKeyReceived = FALSE; 3345 if (sm->Pair) { 3346 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 3347 int klen = wpa_cipher_key_len(sm->pairwise); 3348 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 3349 sm->PTK.tk, klen)) { 3350 wpa_sta_disconnect(sm->wpa_auth, sm->addr, 3351 WLAN_REASON_PREV_AUTH_NOT_VALID); 3352 return; 3353 } 3354 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 3355 sm->pairwise_set = TRUE; 3356 3357 wpa_auth_set_ptk_rekey_timer(sm); 3358 3359 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3360 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 3361 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 3362 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3363 WPA_EAPOL_authorized, 1); 3364 } 3365 } 3366 3367 if (0 /* IBSS == TRUE */) { 3368 sm->keycount++; 3369 if (sm->keycount == 2) { 3370 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3371 WPA_EAPOL_portValid, 1); 3372 } 3373 } else { 3374 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 3375 1); 3376 } 3377 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 3378 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 3379 if (sm->wpa == WPA_VERSION_WPA) 3380 sm->PInitAKeys = TRUE; 3381 else 3382 sm->has_GTK = TRUE; 3383 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3384 "pairwise key handshake completed (%s)", 3385 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3386 3387#ifdef CONFIG_IEEE80211R_AP 3388 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 3389#endif /* CONFIG_IEEE80211R_AP */ 3390} 3391 3392 3393SM_STEP(WPA_PTK) 3394{ 3395 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3396 3397 if (sm->Init) 3398 SM_ENTER(WPA_PTK, INITIALIZE); 3399 else if (sm->Disconnect 3400 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 3401 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 3402 "WPA_PTK: sm->Disconnect"); 3403 SM_ENTER(WPA_PTK, DISCONNECT); 3404 } 3405 else if (sm->DeauthenticationRequest) 3406 SM_ENTER(WPA_PTK, DISCONNECTED); 3407 else if (sm->AuthenticationRequest) 3408 SM_ENTER(WPA_PTK, AUTHENTICATION); 3409 else if (sm->ReAuthenticationRequest) 3410 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3411 else if (sm->PTKRequest) { 3412 if (wpa_auth_sm_ptk_update(sm) < 0) 3413 SM_ENTER(WPA_PTK, DISCONNECTED); 3414 else 3415 SM_ENTER(WPA_PTK, PTKSTART); 3416 } else switch (sm->wpa_ptk_state) { 3417 case WPA_PTK_INITIALIZE: 3418 break; 3419 case WPA_PTK_DISCONNECT: 3420 SM_ENTER(WPA_PTK, DISCONNECTED); 3421 break; 3422 case WPA_PTK_DISCONNECTED: 3423 SM_ENTER(WPA_PTK, INITIALIZE); 3424 break; 3425 case WPA_PTK_AUTHENTICATION: 3426 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3427 break; 3428 case WPA_PTK_AUTHENTICATION2: 3429 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 3430 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3431 WPA_EAPOL_keyRun) > 0) 3432 SM_ENTER(WPA_PTK, INITPMK); 3433 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3434 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE 3435 /* FIX: && 802.1X::keyRun */) 3436 SM_ENTER(WPA_PTK, INITPSK); 3437 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) 3438 SM_ENTER(WPA_PTK, INITPMK); 3439 break; 3440 case WPA_PTK_INITPMK: 3441 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3442 WPA_EAPOL_keyAvailable) > 0) { 3443 SM_ENTER(WPA_PTK, PTKSTART); 3444#ifdef CONFIG_DPP 3445 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) { 3446 SM_ENTER(WPA_PTK, PTKSTART); 3447#endif /* CONFIG_DPP */ 3448 } else { 3449 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3450 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3451 "INITPMK - keyAvailable = false"); 3452 SM_ENTER(WPA_PTK, DISCONNECT); 3453 } 3454 break; 3455 case WPA_PTK_INITPSK: 3456 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 3457 NULL, NULL, NULL)) { 3458 SM_ENTER(WPA_PTK, PTKSTART); 3459#ifdef CONFIG_SAE 3460 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) { 3461 SM_ENTER(WPA_PTK, PTKSTART); 3462#endif /* CONFIG_SAE */ 3463 } else { 3464 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3465 "no PSK configured for the STA"); 3466 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3467 SM_ENTER(WPA_PTK, DISCONNECT); 3468 } 3469 break; 3470 case WPA_PTK_PTKSTART: 3471 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3472 sm->EAPOLKeyPairwise) 3473 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3474 else if (sm->TimeoutCtr > 3475 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3476 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3477 wpa_auth_vlogger( 3478 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3479 "PTKSTART: Retry limit %u reached", 3480 sm->wpa_auth->conf.wpa_pairwise_update_count); 3481 SM_ENTER(WPA_PTK, DISCONNECT); 3482 } else if (sm->TimeoutEvt) 3483 SM_ENTER(WPA_PTK, PTKSTART); 3484 break; 3485 case WPA_PTK_PTKCALCNEGOTIATING: 3486 if (sm->MICVerified) 3487 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 3488 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3489 sm->EAPOLKeyPairwise) 3490 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3491 else if (sm->TimeoutEvt) 3492 SM_ENTER(WPA_PTK, PTKSTART); 3493 break; 3494 case WPA_PTK_PTKCALCNEGOTIATING2: 3495 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3496 break; 3497 case WPA_PTK_PTKINITNEGOTIATING: 3498 if (sm->update_snonce) 3499 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3500 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3501 sm->EAPOLKeyPairwise && sm->MICVerified) 3502 SM_ENTER(WPA_PTK, PTKINITDONE); 3503 else if (sm->TimeoutCtr > 3504 sm->wpa_auth->conf.wpa_pairwise_update_count || 3505 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3506 sm->TimeoutCtr > 1)) { 3507 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3508 wpa_auth_vlogger( 3509 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3510 "PTKINITNEGOTIATING: Retry limit %u reached", 3511 sm->wpa_auth->conf.wpa_pairwise_update_count); 3512 SM_ENTER(WPA_PTK, DISCONNECT); 3513 } else if (sm->TimeoutEvt) 3514 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3515 break; 3516 case WPA_PTK_PTKINITDONE: 3517 break; 3518 } 3519} 3520 3521 3522SM_STATE(WPA_PTK_GROUP, IDLE) 3523{ 3524 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3525 if (sm->Init) { 3526 /* Init flag is not cleared here, so avoid busy 3527 * loop by claiming nothing changed. */ 3528 sm->changed = FALSE; 3529 } 3530 sm->GTimeoutCtr = 0; 3531} 3532 3533 3534SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3535{ 3536 u8 rsc[WPA_KEY_RSC_LEN]; 3537 struct wpa_group *gsm = sm->group; 3538 const u8 *kde; 3539 u8 *kde_buf = NULL, *pos, hdr[2]; 3540 size_t kde_len; 3541 u8 *gtk, dummy_gtk[32]; 3542 3543 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3544 3545 sm->GTimeoutCtr++; 3546 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3547 sm->GTimeoutCtr > 1) { 3548 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */ 3549 return; 3550 } 3551 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) { 3552 /* No point in sending the EAPOL-Key - we will disconnect 3553 * immediately following this. */ 3554 return; 3555 } 3556 3557 if (sm->wpa == WPA_VERSION_WPA) 3558 sm->PInitAKeys = FALSE; 3559 sm->TimeoutEvt = FALSE; 3560 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3561 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3562 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3563 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3564 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3565 "sending 1/2 msg of Group Key Handshake"); 3566 3567 gtk = gsm->GTK[gsm->GN - 1]; 3568 if (sm->wpa_auth->conf.disable_gtk || 3569 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) { 3570 /* 3571 * Provide unique random GTK to each STA to prevent use 3572 * of GTK in the BSS. 3573 */ 3574 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 3575 return; 3576 gtk = dummy_gtk; 3577 } 3578 if (sm->wpa == WPA_VERSION_WPA2) { 3579 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3580 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 3581 kde_buf = os_malloc(kde_len); 3582 if (kde_buf == NULL) 3583 return; 3584 3585 kde = pos = kde_buf; 3586 hdr[0] = gsm->GN & 0x03; 3587 hdr[1] = 0; 3588 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3589 gtk, gsm->GTK_len); 3590 pos = ieee80211w_kde_add(sm, pos); 3591 if (ocv_oci_add(sm, &pos) < 0) { 3592 os_free(kde_buf); 3593 return; 3594 } 3595 kde_len = pos - kde; 3596 } else { 3597 kde = gtk; 3598 kde_len = gsm->GTK_len; 3599 } 3600 3601 wpa_send_eapol(sm->wpa_auth, sm, 3602 WPA_KEY_INFO_SECURE | 3603 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3604 WPA_KEY_INFO_MIC : 0) | 3605 WPA_KEY_INFO_ACK | 3606 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3607 rsc, NULL, kde, kde_len, gsm->GN, 1); 3608 3609 os_free(kde_buf); 3610} 3611 3612 3613SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3614{ 3615#ifdef CONFIG_OCV 3616 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3617 const u8 *key_data, *mic; 3618 struct ieee802_1x_hdr *hdr; 3619 struct wpa_eapol_key *key; 3620 struct wpa_eapol_ie_parse kde; 3621 size_t mic_len; 3622 u16 key_data_length; 3623#endif /* CONFIG_OCV */ 3624 3625 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3626 sm->EAPOLKeyReceived = FALSE; 3627 3628#ifdef CONFIG_OCV 3629 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 3630 3631 /* 3632 * Note: last_rx_eapol_key length fields have already been validated in 3633 * wpa_receive(). 3634 */ 3635 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 3636 key = (struct wpa_eapol_key *) (hdr + 1); 3637 mic = (u8 *) (key + 1); 3638 key_data = mic + mic_len + 2; 3639 key_data_length = WPA_GET_BE16(mic + mic_len); 3640 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 3641 sizeof(*key) - mic_len - 2) 3642 return; 3643 3644 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 3645 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 3646 "received EAPOL-Key group msg 2/2 with invalid Key Data contents"); 3647 return; 3648 } 3649 3650 if (wpa_auth_uses_ocv(sm)) { 3651 struct wpa_channel_info ci; 3652 int tx_chanwidth; 3653 int tx_seg1_idx; 3654 3655 if (wpa_channel_info(wpa_auth, &ci) != 0) { 3656 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3657 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2"); 3658 return; 3659 } 3660 3661 if (get_sta_tx_parameters(sm, 3662 channel_width_to_int(ci.chanwidth), 3663 ci.seg1_idx, &tx_chanwidth, 3664 &tx_seg1_idx) < 0) 3665 return; 3666 3667 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci, 3668 tx_chanwidth, tx_seg1_idx) != 0) { 3669 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 3670 ocv_errorstr); 3671 return; 3672 } 3673 } 3674#endif /* CONFIG_OCV */ 3675 3676 if (sm->GUpdateStationKeys) 3677 sm->group->GKeyDoneStations--; 3678 sm->GUpdateStationKeys = FALSE; 3679 sm->GTimeoutCtr = 0; 3680 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 3681 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3682 "group key handshake completed (%s)", 3683 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3684 sm->has_GTK = TRUE; 3685} 3686 3687 3688SM_STATE(WPA_PTK_GROUP, KEYERROR) 3689{ 3690 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 3691 if (sm->GUpdateStationKeys) 3692 sm->group->GKeyDoneStations--; 3693 sm->GUpdateStationKeys = FALSE; 3694 sm->Disconnect = TRUE; 3695 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3696 "group key handshake failed (%s) after %u tries", 3697 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 3698 sm->wpa_auth->conf.wpa_group_update_count); 3699} 3700 3701 3702SM_STEP(WPA_PTK_GROUP) 3703{ 3704 if (sm->Init || sm->PtkGroupInit) { 3705 SM_ENTER(WPA_PTK_GROUP, IDLE); 3706 sm->PtkGroupInit = FALSE; 3707 } else switch (sm->wpa_ptk_group_state) { 3708 case WPA_PTK_GROUP_IDLE: 3709 if (sm->GUpdateStationKeys || 3710 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 3711 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3712 break; 3713 case WPA_PTK_GROUP_REKEYNEGOTIATING: 3714 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3715 !sm->EAPOLKeyPairwise && sm->MICVerified) 3716 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 3717 else if (sm->GTimeoutCtr > 3718 sm->wpa_auth->conf.wpa_group_update_count || 3719 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3720 sm->GTimeoutCtr > 1)) 3721 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 3722 else if (sm->TimeoutEvt) 3723 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3724 break; 3725 case WPA_PTK_GROUP_KEYERROR: 3726 SM_ENTER(WPA_PTK_GROUP, IDLE); 3727 break; 3728 case WPA_PTK_GROUP_REKEYESTABLISHED: 3729 SM_ENTER(WPA_PTK_GROUP, IDLE); 3730 break; 3731 } 3732} 3733 3734 3735static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 3736 struct wpa_group *group) 3737{ 3738 int ret = 0; 3739 3740 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3741 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3742 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 3743 wpa_auth->addr, group->GNonce, 3744 group->GTK[group->GN - 1], group->GTK_len) < 0) 3745 ret = -1; 3746 wpa_hexdump_key(MSG_DEBUG, "GTK", 3747 group->GTK[group->GN - 1], group->GTK_len); 3748 3749#ifdef CONFIG_IEEE80211W 3750 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3751 size_t len; 3752 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3753 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3754 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3755 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 3756 wpa_auth->addr, group->GNonce, 3757 group->IGTK[group->GN_igtk - 4], len) < 0) 3758 ret = -1; 3759 wpa_hexdump_key(MSG_DEBUG, "IGTK", 3760 group->IGTK[group->GN_igtk - 4], len); 3761 } 3762#endif /* CONFIG_IEEE80211W */ 3763 3764 return ret; 3765} 3766 3767 3768static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 3769 struct wpa_group *group) 3770{ 3771 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3772 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 3773 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 3774 group->wpa_group_state = WPA_GROUP_GTK_INIT; 3775 3776 /* GTK[0..N] = 0 */ 3777 os_memset(group->GTK, 0, sizeof(group->GTK)); 3778 group->GN = 1; 3779 group->GM = 2; 3780#ifdef CONFIG_IEEE80211W 3781 group->GN_igtk = 4; 3782 group->GM_igtk = 5; 3783#endif /* CONFIG_IEEE80211W */ 3784 /* GTK[GN] = CalcGTK() */ 3785 wpa_gtk_update(wpa_auth, group); 3786} 3787 3788 3789static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 3790{ 3791 if (ctx != NULL && ctx != sm->group) 3792 return 0; 3793 3794 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 3795 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3796 "Not in PTKINITDONE; skip Group Key update"); 3797 sm->GUpdateStationKeys = FALSE; 3798 return 0; 3799 } 3800 if (sm->GUpdateStationKeys) { 3801 /* 3802 * This should not really happen, so add a debug log entry. 3803 * Since we clear the GKeyDoneStations before the loop, the 3804 * station needs to be counted here anyway. 3805 */ 3806 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3807 "GUpdateStationKeys was already set when " 3808 "marking station for GTK rekeying"); 3809 } 3810 3811 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 3812 if (sm->is_wnmsleep) 3813 return 0; 3814 3815 sm->group->GKeyDoneStations++; 3816 sm->GUpdateStationKeys = TRUE; 3817 3818 wpa_sm_step(sm); 3819 return 0; 3820} 3821 3822 3823#ifdef CONFIG_WNM_AP 3824/* update GTK when exiting WNM-Sleep Mode */ 3825void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 3826{ 3827 if (sm == NULL || sm->is_wnmsleep) 3828 return; 3829 3830 wpa_group_update_sta(sm, NULL); 3831} 3832 3833 3834void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 3835{ 3836 if (sm) 3837 sm->is_wnmsleep = !!flag; 3838} 3839 3840 3841int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3842{ 3843 struct wpa_group *gsm = sm->group; 3844 u8 *start = pos; 3845 3846 /* 3847 * GTK subelement: 3848 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 3849 * Key[5..32] 3850 */ 3851 *pos++ = WNM_SLEEP_SUBELEM_GTK; 3852 *pos++ = 11 + gsm->GTK_len; 3853 /* Key ID in B0-B1 of Key Info */ 3854 WPA_PUT_LE16(pos, gsm->GN & 0x03); 3855 pos += 2; 3856 *pos++ = gsm->GTK_len; 3857 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 3858 return 0; 3859 pos += 8; 3860 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3861 pos += gsm->GTK_len; 3862 3863 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 3864 gsm->GN); 3865 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 3866 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3867 3868 return pos - start; 3869} 3870 3871 3872#ifdef CONFIG_IEEE80211W 3873int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3874{ 3875 struct wpa_group *gsm = sm->group; 3876 u8 *start = pos; 3877 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3878 3879 /* 3880 * IGTK subelement: 3881 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 3882 */ 3883 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 3884 *pos++ = 2 + 6 + len; 3885 WPA_PUT_LE16(pos, gsm->GN_igtk); 3886 pos += 2; 3887 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 3888 return 0; 3889 pos += 6; 3890 3891 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 3892 pos += len; 3893 3894 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 3895 gsm->GN_igtk); 3896 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 3897 gsm->IGTK[gsm->GN_igtk - 4], len); 3898 3899 return pos - start; 3900} 3901#endif /* CONFIG_IEEE80211W */ 3902#endif /* CONFIG_WNM_AP */ 3903 3904 3905static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 3906 struct wpa_group *group) 3907{ 3908 int tmp; 3909 3910 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3911 "SETKEYS (VLAN-ID %d)", group->vlan_id); 3912 group->changed = TRUE; 3913 group->wpa_group_state = WPA_GROUP_SETKEYS; 3914 group->GTKReKey = FALSE; 3915 tmp = group->GM; 3916 group->GM = group->GN; 3917 group->GN = tmp; 3918#ifdef CONFIG_IEEE80211W 3919 tmp = group->GM_igtk; 3920 group->GM_igtk = group->GN_igtk; 3921 group->GN_igtk = tmp; 3922#endif /* CONFIG_IEEE80211W */ 3923 /* "GKeyDoneStations = GNoStations" is done in more robust way by 3924 * counting the STAs that are marked with GUpdateStationKeys instead of 3925 * including all STAs that could be in not-yet-completed state. */ 3926 wpa_gtk_update(wpa_auth, group); 3927 3928 if (group->GKeyDoneStations) { 3929 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 3930 "GKeyDoneStations=%d when starting new GTK rekey", 3931 group->GKeyDoneStations); 3932 group->GKeyDoneStations = 0; 3933 } 3934 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 3935 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 3936 group->GKeyDoneStations); 3937} 3938 3939 3940static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 3941 struct wpa_group *group) 3942{ 3943 int ret = 0; 3944 3945 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 3946 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 3947 broadcast_ether_addr, group->GN, 3948 group->GTK[group->GN - 1], group->GTK_len) < 0) 3949 ret = -1; 3950 3951#ifdef CONFIG_IEEE80211W 3952 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3953 enum wpa_alg alg; 3954 size_t len; 3955 3956 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 3957 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3958 3959 if (ret == 0 && 3960 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 3961 broadcast_ether_addr, group->GN_igtk, 3962 group->IGTK[group->GN_igtk - 4], len) < 0) 3963 ret = -1; 3964 } 3965#endif /* CONFIG_IEEE80211W */ 3966 3967 return ret; 3968} 3969 3970 3971static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 3972{ 3973 if (sm->group == ctx) { 3974 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 3975 " for discconnection due to fatal failure", 3976 MAC2STR(sm->addr)); 3977 sm->Disconnect = TRUE; 3978 } 3979 3980 return 0; 3981} 3982 3983 3984static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 3985 struct wpa_group *group) 3986{ 3987 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 3988 group->changed = TRUE; 3989 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 3990 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 3991} 3992 3993 3994static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 3995 struct wpa_group *group) 3996{ 3997 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3998 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 3999 group->changed = TRUE; 4000 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 4001 4002 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 4003 wpa_group_fatal_failure(wpa_auth, group); 4004 return -1; 4005 } 4006 4007 return 0; 4008} 4009 4010 4011static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 4012 struct wpa_group *group) 4013{ 4014 if (group->GInit) { 4015 wpa_group_gtk_init(wpa_auth, group); 4016 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 4017 /* Do not allow group operations */ 4018 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 4019 group->GTKAuthenticator) { 4020 wpa_group_setkeysdone(wpa_auth, group); 4021 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 4022 group->GTKReKey) { 4023 wpa_group_setkeys(wpa_auth, group); 4024 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 4025 if (group->GKeyDoneStations == 0) 4026 wpa_group_setkeysdone(wpa_auth, group); 4027 else if (group->GTKReKey) 4028 wpa_group_setkeys(wpa_auth, group); 4029 } 4030} 4031 4032 4033static int wpa_sm_step(struct wpa_state_machine *sm) 4034{ 4035 if (sm == NULL) 4036 return 0; 4037 4038 if (sm->in_step_loop) { 4039 /* This should not happen, but if it does, make sure we do not 4040 * end up freeing the state machine too early by exiting the 4041 * recursive call. */ 4042 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 4043 return 0; 4044 } 4045 4046 sm->in_step_loop = 1; 4047 do { 4048 if (sm->pending_deinit) 4049 break; 4050 4051 sm->changed = FALSE; 4052 sm->wpa_auth->group->changed = FALSE; 4053 4054 SM_STEP_RUN(WPA_PTK); 4055 if (sm->pending_deinit) 4056 break; 4057 SM_STEP_RUN(WPA_PTK_GROUP); 4058 if (sm->pending_deinit) 4059 break; 4060 wpa_group_sm_step(sm->wpa_auth, sm->group); 4061 } while (sm->changed || sm->wpa_auth->group->changed); 4062 sm->in_step_loop = 0; 4063 4064 if (sm->pending_deinit) { 4065 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 4066 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 4067 wpa_free_sta_sm(sm); 4068 return 1; 4069 } 4070 return 0; 4071} 4072 4073 4074static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 4075{ 4076 struct wpa_state_machine *sm = eloop_ctx; 4077 wpa_sm_step(sm); 4078} 4079 4080 4081void wpa_auth_sm_notify(struct wpa_state_machine *sm) 4082{ 4083 if (sm == NULL) 4084 return; 4085 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 4086} 4087 4088 4089void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 4090{ 4091 int tmp, i; 4092 struct wpa_group *group; 4093 4094 if (wpa_auth == NULL) 4095 return; 4096 4097 group = wpa_auth->group; 4098 4099 for (i = 0; i < 2; i++) { 4100 tmp = group->GM; 4101 group->GM = group->GN; 4102 group->GN = tmp; 4103#ifdef CONFIG_IEEE80211W 4104 tmp = group->GM_igtk; 4105 group->GM_igtk = group->GN_igtk; 4106 group->GN_igtk = tmp; 4107#endif /* CONFIG_IEEE80211W */ 4108 wpa_gtk_update(wpa_auth, group); 4109 wpa_group_config_group_keys(wpa_auth, group); 4110 } 4111} 4112 4113 4114static const char * wpa_bool_txt(int val) 4115{ 4116 return val ? "TRUE" : "FALSE"; 4117} 4118 4119 4120#define RSN_SUITE "%02x-%02x-%02x-%d" 4121#define RSN_SUITE_ARG(s) \ 4122((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 4123 4124int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 4125{ 4126 int len = 0, ret; 4127 char pmkid_txt[PMKID_LEN * 2 + 1]; 4128#ifdef CONFIG_RSN_PREAUTH 4129 const int preauth = 1; 4130#else /* CONFIG_RSN_PREAUTH */ 4131 const int preauth = 0; 4132#endif /* CONFIG_RSN_PREAUTH */ 4133 4134 if (wpa_auth == NULL) 4135 return len; 4136 4137 ret = os_snprintf(buf + len, buflen - len, 4138 "dot11RSNAOptionImplemented=TRUE\n" 4139 "dot11RSNAPreauthenticationImplemented=%s\n" 4140 "dot11RSNAEnabled=%s\n" 4141 "dot11RSNAPreauthenticationEnabled=%s\n", 4142 wpa_bool_txt(preauth), 4143 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 4144 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 4145 if (os_snprintf_error(buflen - len, ret)) 4146 return len; 4147 len += ret; 4148 4149 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 4150 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 4151 4152 ret = os_snprintf( 4153 buf + len, buflen - len, 4154 "dot11RSNAConfigVersion=%u\n" 4155 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 4156 /* FIX: dot11RSNAConfigGroupCipher */ 4157 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 4158 /* FIX: dot11RSNAConfigGroupRekeyTime */ 4159 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 4160 "dot11RSNAConfigGroupRekeyStrict=%u\n" 4161 "dot11RSNAConfigGroupUpdateCount=%u\n" 4162 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 4163 "dot11RSNAConfigGroupCipherSize=%u\n" 4164 "dot11RSNAConfigPMKLifetime=%u\n" 4165 "dot11RSNAConfigPMKReauthThreshold=%u\n" 4166 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 4167 "dot11RSNAConfigSATimeout=%u\n" 4168 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 4169 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 4170 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 4171 "dot11RSNAPMKIDUsed=%s\n" 4172 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 4173 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 4174 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 4175 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 4176 "dot11RSNA4WayHandshakeFailures=%u\n" 4177 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 4178 RSN_VERSION, 4179 !!wpa_auth->conf.wpa_strict_rekey, 4180 wpa_auth->conf.wpa_group_update_count, 4181 wpa_auth->conf.wpa_pairwise_update_count, 4182 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 4183 dot11RSNAConfigPMKLifetime, 4184 dot11RSNAConfigPMKReauthThreshold, 4185 dot11RSNAConfigSATimeout, 4186 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 4187 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 4188 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 4189 pmkid_txt, 4190 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 4191 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 4192 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 4193 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 4194 wpa_auth->dot11RSNA4WayHandshakeFailures); 4195 if (os_snprintf_error(buflen - len, ret)) 4196 return len; 4197 len += ret; 4198 4199 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 4200 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 4201 4202 /* Private MIB */ 4203 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 4204 wpa_auth->group->wpa_group_state); 4205 if (os_snprintf_error(buflen - len, ret)) 4206 return len; 4207 len += ret; 4208 4209 return len; 4210} 4211 4212 4213int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 4214{ 4215 int len = 0, ret; 4216 u32 pairwise = 0; 4217 4218 if (sm == NULL) 4219 return 0; 4220 4221 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 4222 4223 /* dot11RSNAStatsEntry */ 4224 4225 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 4226 WPA_PROTO_RSN : WPA_PROTO_WPA, 4227 sm->pairwise); 4228 if (pairwise == 0) 4229 return 0; 4230 4231 ret = os_snprintf( 4232 buf + len, buflen - len, 4233 /* TODO: dot11RSNAStatsIndex */ 4234 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 4235 "dot11RSNAStatsVersion=1\n" 4236 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 4237 /* TODO: dot11RSNAStatsTKIPICVErrors */ 4238 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 4239 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 4240 /* TODO: dot11RSNAStatsCCMPReplays */ 4241 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 4242 /* TODO: dot11RSNAStatsTKIPReplays */, 4243 MAC2STR(sm->addr), 4244 RSN_SUITE_ARG(pairwise), 4245 sm->dot11RSNAStatsTKIPLocalMICFailures, 4246 sm->dot11RSNAStatsTKIPRemoteMICFailures); 4247 if (os_snprintf_error(buflen - len, ret)) 4248 return len; 4249 len += ret; 4250 4251 /* Private MIB */ 4252 ret = os_snprintf(buf + len, buflen - len, 4253 "wpa=%d\n" 4254 "AKMSuiteSelector=" RSN_SUITE "\n" 4255 "hostapdWPAPTKState=%d\n" 4256 "hostapdWPAPTKGroupState=%d\n", 4257 sm->wpa, 4258 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)), 4259 sm->wpa_ptk_state, 4260 sm->wpa_ptk_group_state); 4261 if (os_snprintf_error(buflen - len, ret)) 4262 return len; 4263 len += ret; 4264 4265 return len; 4266} 4267 4268 4269void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 4270{ 4271 if (wpa_auth) 4272 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 4273} 4274 4275 4276int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 4277{ 4278 return sm && sm->pairwise_set; 4279} 4280 4281 4282int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 4283{ 4284 return sm->pairwise; 4285} 4286 4287 4288const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len) 4289{ 4290 if (!sm) 4291 return NULL; 4292 *len = sm->pmk_len; 4293 return sm->PMK; 4294} 4295 4296 4297int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 4298{ 4299 if (sm == NULL) 4300 return -1; 4301 return sm->wpa_key_mgmt; 4302} 4303 4304 4305int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 4306{ 4307 if (sm == NULL) 4308 return 0; 4309 return sm->wpa; 4310} 4311 4312 4313int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 4314{ 4315 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 4316 return 0; 4317 return sm->tk_already_set; 4318} 4319 4320 4321int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm) 4322{ 4323 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 4324 return 0; 4325 return sm->tk_already_set; 4326} 4327 4328 4329int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 4330 struct rsn_pmksa_cache_entry *entry) 4331{ 4332 if (sm == NULL || sm->pmksa != entry) 4333 return -1; 4334 sm->pmksa = NULL; 4335 return 0; 4336} 4337 4338 4339struct rsn_pmksa_cache_entry * 4340wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 4341{ 4342 return sm ? sm->pmksa : NULL; 4343} 4344 4345 4346void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 4347{ 4348 if (sm) 4349 sm->dot11RSNAStatsTKIPLocalMICFailures++; 4350} 4351 4352 4353const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 4354{ 4355 if (wpa_auth == NULL) 4356 return NULL; 4357 *len = wpa_auth->wpa_ie_len; 4358 return wpa_auth->wpa_ie; 4359} 4360 4361 4362int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 4363 unsigned int pmk_len, 4364 int session_timeout, struct eapol_state_machine *eapol) 4365{ 4366 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 4367 sm->wpa_auth->conf.disable_pmksa_caching) 4368 return -1; 4369 4370#ifdef CONFIG_IEEE80211R_AP 4371 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) && 4372 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 4373 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 4374 /* Cache MPMK/XXKey instead of initial part from MSK */ 4375 pmk = pmk + PMK_LEN; 4376 pmk_len = PMK_LEN; 4377 } else 4378#endif /* CONFIG_IEEE80211R_AP */ 4379 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 4380 if (pmk_len > PMK_LEN_SUITE_B_192) 4381 pmk_len = PMK_LEN_SUITE_B_192; 4382 } else if (pmk_len > PMK_LEN) { 4383 pmk_len = PMK_LEN; 4384 } 4385 4386 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len); 4387 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 4388 sm->PTK.kck, sm->PTK.kck_len, 4389 sm->wpa_auth->addr, sm->addr, session_timeout, 4390 eapol, sm->wpa_key_mgmt)) 4391 return 0; 4392 4393 return -1; 4394} 4395 4396 4397int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 4398 const u8 *pmk, size_t len, const u8 *sta_addr, 4399 int session_timeout, 4400 struct eapol_state_machine *eapol) 4401{ 4402 if (wpa_auth == NULL) 4403 return -1; 4404 4405 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len); 4406 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 4407 NULL, 0, 4408 wpa_auth->addr, 4409 sta_addr, session_timeout, eapol, 4410 WPA_KEY_MGMT_IEEE8021X)) 4411 return 0; 4412 4413 return -1; 4414} 4415 4416 4417int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 4418 const u8 *pmk, const u8 *pmkid) 4419{ 4420 if (wpa_auth->conf.disable_pmksa_caching) 4421 return -1; 4422 4423 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, PMK_LEN); 4424 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 4425 NULL, 0, 4426 wpa_auth->addr, addr, 0, NULL, 4427 WPA_KEY_MGMT_SAE)) 4428 return 0; 4429 4430 return -1; 4431} 4432 4433 4434void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid) 4435{ 4436 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 4437 sm->pmkid_set = 1; 4438} 4439 4440 4441int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, 4442 const u8 *pmk, size_t pmk_len, const u8 *pmkid, 4443 int session_timeout, int akmp) 4444{ 4445 if (wpa_auth->conf.disable_pmksa_caching) 4446 return -1; 4447 4448 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN); 4449 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, 4450 NULL, 0, wpa_auth->addr, addr, session_timeout, 4451 NULL, akmp)) 4452 return 0; 4453 4454 return -1; 4455} 4456 4457 4458void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 4459 const u8 *sta_addr) 4460{ 4461 struct rsn_pmksa_cache_entry *pmksa; 4462 4463 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 4464 return; 4465 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 4466 if (pmksa) { 4467 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 4468 MACSTR " based on request", MAC2STR(sta_addr)); 4469 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 4470 } 4471} 4472 4473 4474int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 4475 size_t len) 4476{ 4477 if (!wpa_auth || !wpa_auth->pmksa) 4478 return 0; 4479 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 4480} 4481 4482 4483void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 4484{ 4485 if (wpa_auth && wpa_auth->pmksa) 4486 pmksa_cache_auth_flush(wpa_auth->pmksa); 4487} 4488 4489 4490#ifdef CONFIG_PMKSA_CACHE_EXTERNAL 4491#ifdef CONFIG_MESH 4492 4493int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 4494 char *buf, size_t len) 4495{ 4496 if (!wpa_auth || !wpa_auth->pmksa) 4497 return 0; 4498 4499 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 4500} 4501 4502 4503struct rsn_pmksa_cache_entry * 4504wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 4505 const u8 *pmkid, int expiration) 4506{ 4507 struct rsn_pmksa_cache_entry *entry; 4508 struct os_reltime now; 4509 4510 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 4511 spa, 0, NULL, WPA_KEY_MGMT_SAE); 4512 if (!entry) 4513 return NULL; 4514 4515 os_get_reltime(&now); 4516 entry->expiration = now.sec + expiration; 4517 return entry; 4518} 4519 4520 4521int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 4522 struct rsn_pmksa_cache_entry *entry) 4523{ 4524 int ret; 4525 4526 if (!wpa_auth || !wpa_auth->pmksa) 4527 return -1; 4528 4529 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 4530 if (ret < 0) 4531 wpa_printf(MSG_DEBUG, 4532 "RSN: Failed to store external PMKSA cache for " 4533 MACSTR, MAC2STR(entry->spa)); 4534 4535 return ret; 4536} 4537 4538#endif /* CONFIG_MESH */ 4539#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 4540 4541 4542struct rsn_pmksa_cache_entry * 4543wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 4544 const u8 *pmkid) 4545{ 4546 if (!wpa_auth || !wpa_auth->pmksa) 4547 return NULL; 4548 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 4549} 4550 4551 4552void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 4553 struct wpa_state_machine *sm, 4554 struct wpa_authenticator *wpa_auth, 4555 u8 *pmkid, u8 *pmk) 4556{ 4557 if (!sm) 4558 return; 4559 4560 sm->pmksa = pmksa; 4561 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 4562 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 4563 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 4564} 4565 4566 4567/* 4568 * Remove and free the group from wpa_authenticator. This is triggered by a 4569 * callback to make sure nobody is currently iterating the group list while it 4570 * gets modified. 4571 */ 4572static void wpa_group_free(struct wpa_authenticator *wpa_auth, 4573 struct wpa_group *group) 4574{ 4575 struct wpa_group *prev = wpa_auth->group; 4576 4577 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 4578 group->vlan_id); 4579 4580 while (prev) { 4581 if (prev->next == group) { 4582 /* This never frees the special first group as needed */ 4583 prev->next = group->next; 4584 os_free(group); 4585 break; 4586 } 4587 prev = prev->next; 4588 } 4589 4590} 4591 4592 4593/* Increase the reference counter for group */ 4594static void wpa_group_get(struct wpa_authenticator *wpa_auth, 4595 struct wpa_group *group) 4596{ 4597 /* Skip the special first group */ 4598 if (wpa_auth->group == group) 4599 return; 4600 4601 group->references++; 4602} 4603 4604 4605/* Decrease the reference counter and maybe free the group */ 4606static void wpa_group_put(struct wpa_authenticator *wpa_auth, 4607 struct wpa_group *group) 4608{ 4609 /* Skip the special first group */ 4610 if (wpa_auth->group == group) 4611 return; 4612 4613 group->references--; 4614 if (group->references) 4615 return; 4616 wpa_group_free(wpa_auth, group); 4617} 4618 4619 4620/* 4621 * Add a group that has its references counter set to zero. Caller needs to 4622 * call wpa_group_get() on the return value to mark the entry in use. 4623 */ 4624static struct wpa_group * 4625wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4626{ 4627 struct wpa_group *group; 4628 4629 if (wpa_auth == NULL || wpa_auth->group == NULL) 4630 return NULL; 4631 4632 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 4633 vlan_id); 4634 group = wpa_group_init(wpa_auth, vlan_id, 0); 4635 if (group == NULL) 4636 return NULL; 4637 4638 group->next = wpa_auth->group->next; 4639 wpa_auth->group->next = group; 4640 4641 return group; 4642} 4643 4644 4645/* 4646 * Enforce that the group state machine for the VLAN is running, increase 4647 * reference counter as interface is up. References might have been increased 4648 * even if a negative value is returned. 4649 * Returns: -1 on error (group missing, group already failed); otherwise, 0 4650 */ 4651int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4652{ 4653 struct wpa_group *group; 4654 4655 if (wpa_auth == NULL) 4656 return 0; 4657 4658 group = wpa_auth->group; 4659 while (group) { 4660 if (group->vlan_id == vlan_id) 4661 break; 4662 group = group->next; 4663 } 4664 4665 if (group == NULL) { 4666 group = wpa_auth_add_group(wpa_auth, vlan_id); 4667 if (group == NULL) 4668 return -1; 4669 } 4670 4671 wpa_printf(MSG_DEBUG, 4672 "WPA: Ensure group state machine running for VLAN ID %d", 4673 vlan_id); 4674 4675 wpa_group_get(wpa_auth, group); 4676 group->num_setup_iface++; 4677 4678 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4679 return -1; 4680 4681 return 0; 4682} 4683 4684 4685/* 4686 * Decrease reference counter, expected to be zero afterwards. 4687 * returns: -1 on error (group not found, group in fail state) 4688 * -2 if wpa_group is still referenced 4689 * 0 else 4690 */ 4691int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4692{ 4693 struct wpa_group *group; 4694 int ret = 0; 4695 4696 if (wpa_auth == NULL) 4697 return 0; 4698 4699 group = wpa_auth->group; 4700 while (group) { 4701 if (group->vlan_id == vlan_id) 4702 break; 4703 group = group->next; 4704 } 4705 4706 if (group == NULL) 4707 return -1; 4708 4709 wpa_printf(MSG_DEBUG, 4710 "WPA: Try stopping group state machine for VLAN ID %d", 4711 vlan_id); 4712 4713 if (group->num_setup_iface <= 0) { 4714 wpa_printf(MSG_ERROR, 4715 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 4716 vlan_id); 4717 return -1; 4718 } 4719 group->num_setup_iface--; 4720 4721 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4722 ret = -1; 4723 4724 if (group->references > 1) { 4725 wpa_printf(MSG_DEBUG, 4726 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 4727 vlan_id); 4728 ret = -2; 4729 } 4730 4731 wpa_group_put(wpa_auth, group); 4732 4733 return ret; 4734} 4735 4736 4737int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 4738{ 4739 struct wpa_group *group; 4740 4741 if (sm == NULL || sm->wpa_auth == NULL) 4742 return 0; 4743 4744 group = sm->wpa_auth->group; 4745 while (group) { 4746 if (group->vlan_id == vlan_id) 4747 break; 4748 group = group->next; 4749 } 4750 4751 if (group == NULL) { 4752 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 4753 if (group == NULL) 4754 return -1; 4755 } 4756 4757 if (sm->group == group) 4758 return 0; 4759 4760 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4761 return -1; 4762 4763 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 4764 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 4765 4766 wpa_group_get(sm->wpa_auth, group); 4767 wpa_group_put(sm->wpa_auth, sm->group); 4768 sm->group = group; 4769 4770 return 0; 4771} 4772 4773 4774void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 4775 struct wpa_state_machine *sm, int ack) 4776{ 4777 if (wpa_auth == NULL || sm == NULL) 4778 return; 4779 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 4780 " ack=%d", MAC2STR(sm->addr), ack); 4781 if (sm->pending_1_of_4_timeout && ack) { 4782 /* 4783 * Some deployed supplicant implementations update their SNonce 4784 * for each EAPOL-Key 2/4 message even within the same 4-way 4785 * handshake and then fail to use the first SNonce when 4786 * deriving the PTK. This results in unsuccessful 4-way 4787 * handshake whenever the relatively short initial timeout is 4788 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 4789 * around this by increasing the timeout now that we know that 4790 * the station has received the frame. 4791 */ 4792 int timeout_ms = eapol_key_timeout_subseq; 4793 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 4794 "timeout by %u ms because of acknowledged frame", 4795 timeout_ms); 4796 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 4797 eloop_register_timeout(timeout_ms / 1000, 4798 (timeout_ms % 1000) * 1000, 4799 wpa_send_eapol_timeout, wpa_auth, sm); 4800 } 4801 4802#ifdef CONFIG_TESTING_OPTIONS 4803 if (sm->eapol_status_cb) { 4804 sm->eapol_status_cb(sm->eapol_status_cb_ctx1, 4805 sm->eapol_status_cb_ctx2); 4806 sm->eapol_status_cb = NULL; 4807 } 4808#endif /* CONFIG_TESTING_OPTIONS */ 4809} 4810 4811 4812int wpa_auth_uses_sae(struct wpa_state_machine *sm) 4813{ 4814 if (sm == NULL) 4815 return 0; 4816 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 4817} 4818 4819 4820int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 4821{ 4822 if (sm == NULL) 4823 return 0; 4824 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 4825} 4826 4827 4828#ifdef CONFIG_P2P 4829int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 4830{ 4831 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 4832 return -1; 4833 os_memcpy(addr, sm->ip_addr, 4); 4834 return 0; 4835} 4836#endif /* CONFIG_P2P */ 4837 4838 4839int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 4840 struct radius_das_attrs *attr) 4841{ 4842 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 4843} 4844 4845 4846void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 4847{ 4848 struct wpa_group *group; 4849 4850 if (!wpa_auth) 4851 return; 4852 for (group = wpa_auth->group; group; group = group->next) 4853 wpa_group_config_group_keys(wpa_auth, group); 4854} 4855 4856 4857#ifdef CONFIG_FILS 4858 4859struct wpa_auth_fils_iter_data { 4860 struct wpa_authenticator *auth; 4861 const u8 *cache_id; 4862 struct rsn_pmksa_cache_entry *pmksa; 4863 const u8 *spa; 4864 const u8 *pmkid; 4865}; 4866 4867 4868static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx) 4869{ 4870 struct wpa_auth_fils_iter_data *data = ctx; 4871 4872 if (a == data->auth || !a->conf.fils_cache_id_set || 4873 os_memcmp(a->conf.fils_cache_id, data->cache_id, 4874 FILS_CACHE_ID_LEN) != 0) 4875 return 0; 4876 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid); 4877 return data->pmksa != NULL; 4878} 4879 4880 4881struct rsn_pmksa_cache_entry * 4882wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth, 4883 const u8 *sta_addr, const u8 *pmkid) 4884{ 4885 struct wpa_auth_fils_iter_data idata; 4886 4887 if (!wpa_auth->conf.fils_cache_id_set) 4888 return NULL; 4889 idata.auth = wpa_auth; 4890 idata.cache_id = wpa_auth->conf.fils_cache_id; 4891 idata.pmksa = NULL; 4892 idata.spa = sta_addr; 4893 idata.pmkid = pmkid; 4894 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata); 4895 return idata.pmksa; 4896} 4897 4898 4899#ifdef CONFIG_IEEE80211R_AP 4900int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384, 4901 u8 *buf, size_t len) 4902{ 4903 struct wpa_auth_config *conf = &wpa_auth->conf; 4904 4905 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder, 4906 conf->r0_key_holder_len, 4907 NULL, NULL, buf, len, NULL, 0); 4908} 4909#endif /* CONFIG_IEEE80211R_AP */ 4910 4911 4912void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm, 4913 u8 *fils_anonce, u8 *fils_snonce, 4914 u8 *fils_kek, size_t *fils_kek_len) 4915{ 4916 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN); 4917 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN); 4918 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN); 4919 *fils_kek_len = sm->PTK.kek_len; 4920} 4921 4922 4923void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk, 4924 size_t pmk_len, const u8 *pmkid) 4925{ 4926 os_memcpy(sm->PMK, pmk, pmk_len); 4927 sm->pmk_len = pmk_len; 4928 os_memcpy(sm->pmkid, pmkid, PMKID_LEN); 4929 sm->pmkid_set = 1; 4930} 4931 4932#endif /* CONFIG_FILS */ 4933 4934 4935void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg) 4936{ 4937 if (sm) 4938 sm->auth_alg = auth_alg; 4939} 4940 4941 4942#ifdef CONFIG_DPP2 4943void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z) 4944{ 4945 if (sm) { 4946 wpabuf_clear_free(sm->dpp_z); 4947 sm->dpp_z = z ? wpabuf_dup(z) : NULL; 4948 } 4949} 4950#endif /* CONFIG_DPP2 */ 4951 4952 4953#ifdef CONFIG_TESTING_OPTIONS 4954 4955int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce, 4956 void (*cb)(void *ctx1, void *ctx2), 4957 void *ctx1, void *ctx2) 4958{ 4959 const u8 *anonce = sm->ANonce; 4960 u8 anonce_buf[WPA_NONCE_LEN]; 4961 4962 if (change_anonce) { 4963 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN)) 4964 return -1; 4965 anonce = anonce_buf; 4966 } 4967 4968 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4969 "sending 1/4 msg of 4-Way Handshake (TESTING)"); 4970 wpa_send_eapol(sm->wpa_auth, sm, 4971 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 4972 anonce, NULL, 0, 0, 0); 4973 return 0; 4974} 4975 4976 4977int wpa_auth_resend_m3(struct wpa_state_machine *sm, 4978 void (*cb)(void *ctx1, void *ctx2), 4979 void *ctx1, void *ctx2) 4980{ 4981 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos; 4982#ifdef CONFIG_IEEE80211W 4983 u8 *opos; 4984#endif /* CONFIG_IEEE80211W */ 4985 size_t gtk_len, kde_len; 4986 struct wpa_group *gsm = sm->group; 4987 u8 *wpa_ie; 4988 int wpa_ie_len, secure, keyidx, encr = 0; 4989 4990 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 4991 GTK[GN], IGTK, [FTIE], [TIE * 2]) 4992 */ 4993 4994 /* Use 0 RSC */ 4995 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 4996 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 4997 wpa_ie = sm->wpa_auth->wpa_ie; 4998 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 4999 if (sm->wpa == WPA_VERSION_WPA && 5000 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 5001 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 5002 /* WPA-only STA, remove RSN IE and possible MDIE */ 5003 wpa_ie = wpa_ie + wpa_ie[1] + 2; 5004 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 5005 wpa_ie = wpa_ie + wpa_ie[1] + 2; 5006 wpa_ie_len = wpa_ie[1] + 2; 5007 } 5008 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5009 "sending 3/4 msg of 4-Way Handshake (TESTING)"); 5010 if (sm->wpa == WPA_VERSION_WPA2) { 5011 /* WPA2 send GTK in the 4-way handshake */ 5012 secure = 1; 5013 gtk = gsm->GTK[gsm->GN - 1]; 5014 gtk_len = gsm->GTK_len; 5015 keyidx = gsm->GN; 5016 _rsc = rsc; 5017 encr = 1; 5018 } else { 5019 /* WPA does not include GTK in msg 3/4 */ 5020 secure = 0; 5021 gtk = NULL; 5022 gtk_len = 0; 5023 keyidx = 0; 5024 _rsc = NULL; 5025 if (sm->rx_eapol_key_secure) { 5026 /* 5027 * It looks like Windows 7 supplicant tries to use 5028 * Secure bit in msg 2/4 after having reported Michael 5029 * MIC failure and it then rejects the 4-way handshake 5030 * if msg 3/4 does not set Secure bit. Work around this 5031 * by setting the Secure bit here even in the case of 5032 * WPA if the supplicant used it first. 5033 */ 5034 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5035 "STA used Secure bit in WPA msg 2/4 - " 5036 "set Secure for 3/4 as workaround"); 5037 secure = 1; 5038 } 5039 } 5040 5041 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm); 5042 if (gtk) 5043 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 5044#ifdef CONFIG_IEEE80211R_AP 5045 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5046 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 5047 kde_len += 300; /* FTIE + 2 * TIE */ 5048 } 5049#endif /* CONFIG_IEEE80211R_AP */ 5050 kde = os_malloc(kde_len); 5051 if (kde == NULL) 5052 return -1; 5053 5054 pos = kde; 5055 os_memcpy(pos, wpa_ie, wpa_ie_len); 5056 pos += wpa_ie_len; 5057#ifdef CONFIG_IEEE80211R_AP 5058 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5059 int res; 5060 size_t elen; 5061 5062 elen = pos - kde; 5063 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 5064 if (res < 0) { 5065 wpa_printf(MSG_ERROR, "FT: Failed to insert " 5066 "PMKR1Name into RSN IE in EAPOL-Key data"); 5067 os_free(kde); 5068 return -1; 5069 } 5070 pos -= wpa_ie_len; 5071 pos += elen; 5072 } 5073#endif /* CONFIG_IEEE80211R_AP */ 5074 if (gtk) { 5075 u8 hdr[2]; 5076 hdr[0] = keyidx & 0x03; 5077 hdr[1] = 0; 5078 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 5079 gtk, gtk_len); 5080 } 5081#ifdef CONFIG_IEEE80211W 5082 opos = pos; 5083 pos = ieee80211w_kde_add(sm, pos); 5084 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5085 /* skip KDE header and keyid */ 5086 opos += 2 + RSN_SELECTOR_LEN + 2; 5087 os_memset(opos, 0, 6); /* clear PN */ 5088 } 5089#endif /* CONFIG_IEEE80211W */ 5090 if (ocv_oci_add(sm, &pos) < 0) { 5091 os_free(kde); 5092 return -1; 5093 } 5094 5095#ifdef CONFIG_IEEE80211R_AP 5096 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 5097 int res; 5098 struct wpa_auth_config *conf; 5099 5100 conf = &sm->wpa_auth->conf; 5101 if (sm->assoc_resp_ftie && 5102 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 5103 os_memcpy(pos, sm->assoc_resp_ftie, 5104 2 + sm->assoc_resp_ftie[1]); 5105 res = 2 + sm->assoc_resp_ftie[1]; 5106 } else { 5107 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt); 5108 5109 res = wpa_write_ftie(conf, use_sha384, 5110 conf->r0_key_holder, 5111 conf->r0_key_holder_len, 5112 NULL, NULL, pos, 5113 kde + kde_len - pos, 5114 NULL, 0); 5115 } 5116 if (res < 0) { 5117 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 5118 "into EAPOL-Key Key Data"); 5119 os_free(kde); 5120 return -1; 5121 } 5122 pos += res; 5123 5124 /* TIE[ReassociationDeadline] (TU) */ 5125 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5126 *pos++ = 5; 5127 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 5128 WPA_PUT_LE32(pos, conf->reassociation_deadline); 5129 pos += 4; 5130 5131 /* TIE[KeyLifetime] (seconds) */ 5132 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 5133 *pos++ = 5; 5134 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 5135 WPA_PUT_LE32(pos, conf->r0_key_lifetime); 5136 pos += 4; 5137 } 5138#endif /* CONFIG_IEEE80211R_AP */ 5139 5140 wpa_send_eapol(sm->wpa_auth, sm, 5141 (secure ? WPA_KEY_INFO_SECURE : 0) | 5142 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5143 WPA_KEY_INFO_MIC : 0) | 5144 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 5145 WPA_KEY_INFO_KEY_TYPE, 5146 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 5147 os_free(kde); 5148 return 0; 5149} 5150 5151 5152int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, 5153 void (*cb)(void *ctx1, void *ctx2), 5154 void *ctx1, void *ctx2) 5155{ 5156 u8 rsc[WPA_KEY_RSC_LEN]; 5157 struct wpa_group *gsm = sm->group; 5158 const u8 *kde; 5159 u8 *kde_buf = NULL, *pos, hdr[2]; 5160#ifdef CONFIG_IEEE80211W 5161 u8 *opos; 5162#endif /* CONFIG_IEEE80211W */ 5163 size_t kde_len; 5164 u8 *gtk; 5165 5166 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 5167 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 5168 /* Use 0 RSC */ 5169 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 5170 "sending 1/2 msg of Group Key Handshake (TESTING)"); 5171 5172 gtk = gsm->GTK[gsm->GN - 1]; 5173 if (sm->wpa == WPA_VERSION_WPA2) { 5174 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 5175 ieee80211w_kde_len(sm) + ocv_oci_len(sm); 5176 kde_buf = os_malloc(kde_len); 5177 if (kde_buf == NULL) 5178 return -1; 5179 5180 kde = pos = kde_buf; 5181 hdr[0] = gsm->GN & 0x03; 5182 hdr[1] = 0; 5183 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 5184 gtk, gsm->GTK_len); 5185#ifdef CONFIG_IEEE80211W 5186 opos = pos; 5187 pos = ieee80211w_kde_add(sm, pos); 5188 if (pos - opos >= 5189 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) { 5190 /* skip KDE header and keyid */ 5191 opos += 2 + RSN_SELECTOR_LEN + 2; 5192 os_memset(opos, 0, 6); /* clear PN */ 5193 } 5194#endif /* CONFIG_IEEE80211W */ 5195 if (ocv_oci_add(sm, &pos) < 0) { 5196 os_free(kde_buf); 5197 return -1; 5198 } 5199 kde_len = pos - kde; 5200 } else { 5201 kde = gtk; 5202 kde_len = gsm->GTK_len; 5203 } 5204 5205 sm->eapol_status_cb = cb; 5206 sm->eapol_status_cb_ctx1 = ctx1; 5207 sm->eapol_status_cb_ctx2 = ctx2; 5208 5209 wpa_send_eapol(sm->wpa_auth, sm, 5210 WPA_KEY_INFO_SECURE | 5211 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 5212 WPA_KEY_INFO_MIC : 0) | 5213 WPA_KEY_INFO_ACK | 5214 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 5215 rsc, NULL, kde, kde_len, gsm->GN, 1); 5216 5217 os_free(kde_buf); 5218 return 0; 5219} 5220 5221 5222int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth) 5223{ 5224 if (!wpa_auth) 5225 return -1; 5226 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 5227 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL); 5228} 5229 5230#endif /* CONFIG_TESTING_OPTIONS */ 5231